Fortigate IPsec Tunnel Up, Some Subnets Are Not Routed Through
I have a relatively simple setup with two Fortigates directly peering with IPsec over the Internet. I have two subnets on my primary site, configured as subinterfaces, and one subnet on my secondary site (also subinterface).
In order to configure the Phase 2, I created a group of objects containing my two subnets and used Named Addresses on both firewalls.
One subnet from the primary site (let's call it 192.168.1.0/24) can reach the remote site properly and vice-versa. However, the other subnet from my primary site (let's call it 172.16.1.0/24) cannot reach the remote site. Pings from the remote site to both main subnets are working.
From the Forward Traffic log, I can see that the subnet that is not working is not actually using the ACL towards the tunnel, rather it goes through the WAN link, as if it was not using the route I specified in the Phase 2.
I have static routes on both firewalls to allow the communication (two routes on the remote firewall pointing to the VPN's IP, and one route on the main site pointing towards the other side of the VPN.
I have 0 ACL drops on my default rule and have no other drop rules. NAT is deactivated on the rules managing the trafic between the sites. I have tried Policy Routing, creating multiple Phase 2s, removing the working subnet from the Phase 2 and leaving only the broken one, it never goes through the VPN interface.
Any help is welcome, I'll be glad to answer your questions.
Hi @alif, both subnets are allowed in the security policies. As I mentioned, the traffic is not going through the VPN as it should (matching other ACL towards WAN/default route) even though the route exists and the destination subnet is configured in the phase 2 for that source.
can you clarify your phase 2 config? You said you created a group of objects containing two subnets on both firewalls. You have three subnets, though. It's unclear how you've defined your phase2 here. Can you show the config or explain it clearly?
We are having serious IPSEC routing issues after a 7.0.10 upgrade.
Eveything wokred like a charm from < 7.0.9 release. After the upgrade we are having problems in phase 2 rekey (i believe) Once in while the vpn is not working and not communicating toward the other firewall. In The GUI, both phases are green. The only way to make it work again is to manually "bring down" and "bring up" the phase 2 and it works.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.