Hi !
I have a strange behaviour with dialup vpn. I have an HQ Fortigate with theses interfaces configured :
port1 : 172.15.1.1/24
dmz : 172.18.1.1/24
I have a Fortigate Client connected with dial-up vpn to this HQ. When I execute a traceroute on this Foritgate Client to reach for exemple a server behind my HQ Forigate with IP 172.15.1.218, the result is shown like that :
traceroute to 172.15.1.218 (172.15.1.218), 32 hops max, 3 probe packets per hop, 84 byte packets
1 172.18.1.1 4.866 ms 5.031 ms 5.181 ms
2 1172.15.1.218 5.355 ms 4.989 ms 4.527 ms
Why dmz interface ip is in the path ????? Is it a normal behaviour ?
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
The IPsec tunnel interface is unnumbered by default.
Meaning it does not have an Ip address unless you add it manually.
When you do a traceroute, the FG has to reply with an IP. And if the tunnel interface does not have an IP, it picks an IP of another interface (mostly the one with the lowest index) and replies with that IP address. So what you are seeing is normal behaviour.
Hi,
I was only explaining the behaviour as to why FG shows the DMZ IP in the traceroute.
You can leave it unnumbered or add an IP.
In case you need to use a dynamic routing protocol on the IPsec tunnel interface you need to have the tunnel interface IP added. When it comes to traceroute, it really doesn't matter I guess and depends on your choice.
Hi,
The IPsec tunnel interface is unnumbered by default.
Meaning it does not have an Ip address unless you add it manually.
When you do a traceroute, the FG has to reply with an IP. And if the tunnel interface does not have an IP, it picks an IP of another interface (mostly the one with the lowest index) and replies with that IP address. So what you are seeing is normal behaviour.
Hi Sachin,
Thanks for the explaination. This mean that I need to add IP in my dialup tunnel or I can let it unnumbered.
Thanks
Hi,
I was only explaining the behaviour as to why FG shows the DMZ IP in the traceroute.
You can leave it unnumbered or add an IP.
In case you need to use a dynamic routing protocol on the IPsec tunnel interface you need to have the tunnel interface IP added. When it comes to traceroute, it really doesn't matter I guess and depends on your choice.
Ok nice ! Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.