Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pft
New Contributor II

Created on ‎01-04-2012 12:57 AM

FGT 60B IPSec Routing

Hi, I' ve a strange problem with a FGT 60B and routing through an IPSec VPN. We have a cluster of two FGT110C where several FGT 50B conntects through IPSec tunnels. Now I' ve a FGT 60B which should also be connected by IPSec. Everything works fine so far. The tunnel comes up and clients behind the FGT 60B can connect through the tunnel. The problem is that the FGT 60B itself could not connect through the tunnel. It seems that its trying to route the traffic through the wan port and not through the virtual VPN port. So the FGT can not connect to FortiAnalyzer or internal DNS Servers. I tried it with exactly the same firmware and config on a FGT 50B and its working there. I' ve a second FGT 60B here that has the same problem. I already tried a factory reset and reconfig but without luck. - Firmware is 4.0 MR2 P6 - tried also P7 and P9 (FGT 110Cs are 4.0 MR2 P7) - IPSec interface mode - two routing entries - one host route to the FGT 110C through WAN port, one default route through VPN Interface Now I' m out of ideas and need help
5443
0 Kudos
13 REPLIES 13
ede_pfau
SuperUser
SuperUser

Created on ‎01-11-2012 07:45 AM

At least in 4.3 you can specify the egress IP addresses for SNMP, FAZ etc. You' d have to use an address from the range the VPN is configured to transport. To some lesser extent even 4.2 offers to specify egress IP addresses. See Release Notes/What' s New documents for details.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
796
0 Kudos
Delta
New Contributor

Created on ‎01-31-2012 11:55 AM

If you' re using interface based ipsec vpn, then, on the 60B goto Interface and edit the VPN interface and you will see a space for entries for IP and Remote IP which default to 0.0.0.0 & 0.0.0.0 respectively. Put a local IP address in IP and your remote gateway in Remote IP and the firewall should then be able to figure out how to route the traffic. You don' t need to do anything on the other end if it isn' t a 60B as this seems to be an oddness unique to this model.
Thought for the day: Advertising (n): the science of arresting the human intelligence for long enough to get money from it. -- Stephen Leacock.
Thought for the day: Advertising (n): the science of arresting the human intelligence for long enough to get money from it. -- Stephen Leacock.
796
0 Kudos
asantanna
New Contributor

Created on ‎02-03-2012 02:01 PM

I have the same problem - 1 - FGT 60C in Central Office - 1 - FGT 60C in Office 1 - 3 - FGT 30B in Small Offices - 1 - Analyzer 100C in Central Office Using Route Based IPsec VPN (same configuration in all of then) all 30B connects with my Analyzer, just fine, but with 60C in office 1, I can' t reach my Analyzer. I' ve tried everything but nothing worked, even with latest firmware MR3 Patch5. Problably a bug of FGT 60C.
794
0 Kudos
pft
New Contributor II

Created on ‎02-06-2012 01:59 AM

I tried the IP adress for local and remote IP in the IPsec interface settings but it doesn' t work as well. Packet sniffer on the 60B shows the IPsec interface IP trying to connect to FA but packet sniffer on the 110C shows no traffic.
794
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.