Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zoriax
Contributor II

Dialup VPN : Strange tracroute

Hi ! 

 

I have a strange behaviour with dialup vpn. I have an HQ Fortigate with theses interfaces configured :

port1 : 172.15.1.1/24

dmz : 172.18.1.1/24

 

I have a Fortigate Client connected with dial-up vpn to this HQ. When I execute a traceroute on this Foritgate Client to reach for exemple a server behind my HQ Forigate with IP 172.15.1.218, the result is shown like that : 

 

traceroute to 172.15.1.218 (172.15.1.218), 32 hops max, 3 probe packets per hop, 84 byte packets
1 172.18.1.1 4.866 ms 5.031 ms 5.181 ms
2 1172.15.1.218 5.355 ms 4.989 ms 4.527 ms

 

Why dmz interface ip is in the path ????? Is it a normal behaviour ? 

 

Thanks

2 Solutions
Sachin_Alex_Cherian_

Hi,

The IPsec tunnel interface is unnumbered by default.

Meaning it does not have an Ip address unless you add it manually.

When you do a traceroute, the FG has to reply with an IP. And if the tunnel interface does not have an IP, it picks an IP of another interface (mostly the one with the lowest index) and replies with that IP address. So what you are seeing is normal behaviour.

 

 

Regards,
Sachin.

View solution in original post

Sachin_Alex_Cherian_

Hi,

I was only explaining the behaviour as to why FG shows the DMZ IP in the traceroute.

You can leave it unnumbered or add an IP.

In case you need to use a dynamic routing protocol on the IPsec tunnel interface you need to have the tunnel interface IP added. When it comes to traceroute, it really doesn't matter I guess and depends on your choice.

 

Regards,
Sachin.

View solution in original post

4 REPLIES 4
Sachin_Alex_Cherian_

Hi,

The IPsec tunnel interface is unnumbered by default.

Meaning it does not have an Ip address unless you add it manually.

When you do a traceroute, the FG has to reply with an IP. And if the tunnel interface does not have an IP, it picks an IP of another interface (mostly the one with the lowest index) and replies with that IP address. So what you are seeing is normal behaviour.

 

 

Regards,
Sachin.
zoriax
Contributor II

Hi Sachin,

 

Thanks for the explaination. This mean that I need to add IP in my dialup tunnel or I can let it unnumbered. 

 

Thanks

Sachin_Alex_Cherian_

Hi,

I was only explaining the behaviour as to why FG shows the DMZ IP in the traceroute.

You can leave it unnumbered or add an IP.

In case you need to use a dynamic routing protocol on the IPsec tunnel interface you need to have the tunnel interface IP added. When it comes to traceroute, it really doesn't matter I guess and depends on your choice.

 

Regards,
Sachin.
zoriax
Contributor II

Ok nice ! Thanks 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors