Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BusinessUser
Contributor

How do I add this ip range 10.212.134.200-240 in static route

I want this particular ip range to be added into static route via vpn tunnel. 

How do I do this? 

5 REPLIES 5
Toshi_Esumi
SuperUser
SuperUser

Routing table can't have a "range of IPs". They have to be subnets. If you have to set routes to cover exact that range, you have to chuck them up to multiple subnets.
10.212.134.200/29
10.212.134.208/28

10.212.134.224/28
So three static routes. But why do you need it to be exact that range? You can either change the SSL VPN client IP range (I'm assuming that's the purpose of this range) to be bigger or smaller to fits in one subnet boundaries, or just route 10.212.134.128/25 if the reset is not used.

 

Toshi

BusinessUser
Contributor

For this range (10.212.134.200-240) i added  10.212.134.0/24 as subnet for static route to the remote vpn tunnel. 

 

Why didnt it work?

AEK

In your VPN phase 2 config, make sure you have entered the local and remote subnets that will communicate.

AEK
AEK
mpeddalla

Hello  @BusinessUser ,

 

Thank you for contacting the Fortinet Forum portal.

The range which you choose is correct 10.212.134.0/24 in static route but have to make sure it is added on phase2 selector and also on firewall policy.

-To verify routing I would recommend checking with below command as if there are any duplicate entry for another remote IP we can see which routes are being preferred from routing perspective.

 

 get router info routing-table details x.x.x.x  [remote ip address which you are trying to reach for testing]

 

-After the route points properly still have issues collecting debug logs

 

# diagnose debug reset
# diagnose debug flow trace stop
# diagnose debug flow filter clear
# diagnose debug flow filter addr [source addr] [destination-addr] and  
# diagnose debug flow filter proto 1
# diagnose debug flow show function-name enable
# diagnose debug console timestamp enable
# diagnose debug flow trace start 999
# diagnose debug enable


# diagnose debug disable ---- to stop debug

 

article:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPN-is-up-but-network-is-not-r...

 

Best regards,

Manasa.

 

If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.

Manasa
SonaMuvv
Staff
Staff

In case if you are using named address object 10.212.134.0/24, make sure to enable allow routing option, which will list this address object in the static route named address field.

config firewall address

edit <address_name>

set allow-routing enable

end

 

Regards,

Sonali

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors