Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SprinteR
New Contributor II

Created on ‎08-09-2023 05:22 AM Edited on ‎08-09-2023 07:09 AM

Fortigate static route on the GRE over IPSEC

Hello, We have configured several VPN tunnels between our HQ and Branches. In configuration we see that our Branches WAN IP address is recognized be our Fortigate as a Static Route directed to IPSEC interface. Is it normal behavior and if it is possible to change it?

ipsec.png

 

FortiGate 

Oleksandr Pikulskyi
Oleksandr Pikulskyi
Labels:
1179
0 Kudos
1 Solution
SprinteR
New Contributor II

Created on ‎08-12-2023 06:09 AM

Hi all, the issue has been resolved with the help of PBR.

Oleksandr Pikulskyi

View solution in original post

Oleksandr Pikulskyi
1069
0 Kudos
6 REPLIES 6
spoojary
Staff
Staff

Created on ‎08-09-2023 07:05 AM

Yes, it's normal for firewalls like Fortigate to automatically set up static routes for VPN tunnels based on the WAN IP addresses of your branches. This ensures traffic is properly encrypted and sent through the VPN. You can usually modify or override these routes through your firewall's management interface, but be cautious as changes can affect network connectivity.

Siddhanth Poojary
1163
0 Kudos
SprinteR
New Contributor II

Created on ‎08-09-2023 07:34 AM

@spoojary  Hi, thanks for the reply. But I tried to set up one office via a static route towards the WAN. Yes, it overwritten the route, but the connection is lost. Tunnel UP, but traffic stops going.

Oleksandr Pikulskyi
Oleksandr Pikulskyi
1150
0 Kudos
spoojary
Staff
Staff

Created on ‎08-09-2023 07:45 AM

check the ad distance between wan and ipsec as well as priority on the static route. make it the same and try.

Siddhanth Poojary
1144
0 Kudos
SprinteR
New Contributor II

Created on ‎08-09-2023 09:31 AM

@spoojary  I checked, with the same metrics, recursive routing is obtained and the route in the WAN does not always win. 

 

ipsec.jpg

Oleksandr Pikulskyi
Oleksandr Pikulskyi
1138
0 Kudos
SprinteR
New Contributor II

Created on ‎08-10-2023 09:47 AM

@spoojary Hi, any other ideas? Or workaround solutions ? The task is simple, it is impossible to check the internet channel by zabbix, because it is blocked by tunnel static.

Oleksandr Pikulskyi
Oleksandr Pikulskyi
1103
0 Kudos
SprinteR
New Contributor II

Created on ‎08-12-2023 06:09 AM

Hi all, the issue has been resolved with the help of PBR.

Oleksandr Pikulskyi
Oleksandr Pikulskyi
1070
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.