I want this particular ip range to be added into static route via vpn tunnel.
How do I do this?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Routing table can't have a "range of IPs". They have to be subnets. If you have to set routes to cover exact that range, you have to chuck them up to multiple subnets.
10.212.134.200/29
10.212.134.208/28
10.212.134.224/28
So three static routes. But why do you need it to be exact that range? You can either change the SSL VPN client IP range (I'm assuming that's the purpose of this range) to be bigger or smaller to fits in one subnet boundaries, or just route 10.212.134.128/25 if the reset is not used.
Toshi
For this range (10.212.134.200-240) i added 10.212.134.0/24 as subnet for static route to the remote vpn tunnel.
Why didnt it work?
In your VPN phase 2 config, make sure you have entered the local and remote subnets that will communicate.
Created on 01-21-2024 06:12 AM Edited on 01-21-2024 06:13 AM
Hello @BusinessUser ,
Thank you for contacting the Fortinet Forum portal.
The range which you choose is correct 10.212.134.0/24 in static route but have to make sure it is added on phase2 selector and also on firewall policy.
-To verify routing I would recommend checking with below command as if there are any duplicate entry for another remote IP we can see which routes are being preferred from routing perspective.
get router info routing-table details x.x.x.x [remote ip address which you are trying to reach for testing]
-After the route points properly still have issues collecting debug logs
# diagnose debug reset
# diagnose debug flow trace stop
# diagnose debug flow filter clear
# diagnose debug flow filter addr [source addr] [destination-addr] and
# diagnose debug flow filter proto 1
# diagnose debug flow show function-name enable
# diagnose debug console timestamp enable
# diagnose debug flow trace start 999
# diagnose debug enable
# diagnose debug disable ---- to stop debug
article:
Best regards,
Manasa.
If you feel the above steps helped to resolve the issue mark the reply as solved so that other customers can get it easily while searching on similar scenarios.
In case if you are using named address object 10.212.134.0/24, make sure to enable allow routing option, which will list this address object in the static route named address field.
config firewall address
edit <address_name>
set allow-routing enable
end
Regards,
Sonali
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.