We are using IPsec over a Metro Ethernet connection. This connection provides no Internet service, only service to HQ. The goal is to send all traffic across the tunnel. Now I've found a solution but I don't know why it works... One default route is created by DHCP for WAN1 and given distance 5. Still I want to use the tunnel for everything, except IPsec traffic itself obviously! Apparently I have to use the same distance for a second default route (the one across the tunnel) or everything breaks (it sends everything across the tunnel or to wan).
Additionally in order to distinguish both default routes I have: 1) dropped priority (not distance) of default route set by DHCP of wan1 to 3 (instead of 0) 2) specified a second default route 0.0.0.0/0 -> VPN_HQ (the tunnel interface) with priority 0 (hence making it the boss) The kernel routing table, and therefore also route cache now look like this: tab=254 vf=1 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=0.0.0.0 dev=34(VPN_HQ) tab=254 vf=1 scope=0 type=1 proto=11 prio=3 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=192.168.178.1 dev=5(wan1) It does what I want it to do. However I don't really understand how it knows that the outer-tunnel traffic should use wan1, while the inner-tunnel traffic uses VPN_HQ.
I would like to exclude that the fact that it is working is a bug. Or some side-effect which will make my life miserable in the future, like a ticking timebomb. In any case I haven't found any documents that would describe how to (correctly) create the setup that we desire... Any enlightenment on this matter is very welcome. Thanks, Marki
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.