Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
antmich
New Contributor

Fortigate IPsec Tunnel Up, Some Subnets Are Not Routed Through

Hello,

 

I have a relatively simple setup with two Fortigates directly peering with IPsec over the Internet. I have two subnets on my primary site, configured as subinterfaces, and one subnet on my secondary site (also subinterface).

 

SUB1 --192.168.1.0/24-----\

                                                 |===VPN===|----SUB3 172.16.2.0/24

SUB2 ---172.16.1.0/24-----/

 

In order to configure the Phase 2, I created a group of objects containing my two subnets and used Named Addresses on both firewalls.

 

One subnet from the primary site (let's call it 192.168.1.0/24) can reach the remote site properly and vice-versa. However, the other subnet from my primary site (let's call it 172.16.1.0/24) cannot reach the remote site. Pings from the remote site to both main subnets are working.

 

From the Forward Traffic log, I can see that the subnet that is not working is not actually using the ACL towards the tunnel, rather it goes through the WAN link, as if it was not using the route I specified in the Phase 2. 

 

I have static routes on both firewalls to allow the communication (two routes on the remote firewall pointing to the VPN's IP, and one route on the main site pointing towards the other side of the VPN.

 

I have 0 ACL drops on my default rule and have no other drop rules. NAT is deactivated on the rules managing the trafic between the sites. I have tried Policy Routing, creating multiple Phase 2s, removing the working subnet from the Phase 2 and leaving only the broken one, it never goes through the VPN interface.

 

Any help is welcome, I'll be glad to answer your questions.

 

Thank you in advance !

7 REPLIES 7
AEK
Honored Contributor

Hi

Check priority and admin distance of the static route. Make sure it has priority over the default gateway.

AEK
AEK
antmich
New Contributor

Both priorities are equal. Anyway, if both routes are in the routing table, shouldn't the packet be routed using the longest prefix rule ?

Thanks!

alif
Staff
Staff

Hi @antmich,

 

Run debug flow to get an idea how the traffic is traversing via Fortigate.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

If one subnet is reachable, check the firewall policy to allow traffic between SUB2 and SUB3.

Regards,
SFA
antmich
New Contributor

Hi @alif, both subnets are allowed in the security policies. As I mentioned, the traffic is not going through the VPN as it should (matching other ACL towards WAN/default route) even though the route exists and the destination subnet is configured in the phase 2 for that source.

alif

If the route is there in the routing table and one subnet is working as expected, it could be some policy route forcing the traffic towards wan interface.

Perhaps, you can share the debug flow/routing table to have a better idea.

Regards,
SFA
gfleming
Staff
Staff

can you clarify your phase 2 config? You said you created a group of objects containing two subnets on both firewalls. You have three subnets, though. It's unclear how you've defined your phase2 here. Can you show the config or explain it clearly?

 

 

Cheers,
Graham
Belgarioz
New Contributor III

Hello,

May I know your firmware version, please?

We are having serious IPSEC routing issues after a 7.0.10 upgrade.

Eveything wokred like a charm from < 7.0.9 release. After the upgrade we are having problems in phase 2 rekey (i believe)
Once in while the vpn is not working and not communicating toward the other firewall.
In The GUI, both phases are green.
The only way to make it work again is to manually "bring down" and "bring up" the phase 2 and it works.

Labels
Top Kudoed Authors