- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSEC Tunnel Static Route
Hello All and thanks for the help in advance:
I have two Fortgate firewalls I have inherited and I am in need of some help. At the head-end, I have a 90D and at the remote-end, I have a 90E. The IPSEC tunnel had been created and I am trying to add in a route to a new network at the head end.
So the network looks something like this:
192.168.20.0/24
192.168.1.0/24
-------------------
90D (192.168.1.28)
-------------------
Internet
-------------------
90E (192.168.2.253)
-------------------
192.168.2.0/24
I can get from 192.168.2.0 to 192.168.1.0 with no issues. That was the IPSEC tunnel that was created before. I am trying to add 192.168.20.0
Attached to the 90D, I have a Cisco L3 switch (192.168.1.2) that acts as the router to the 20 network. The Cisco has a default route to the 90D (192.168.1.28) From the 20 network today, I can surf the web which is out of the 90D, but I cannot get to anything in the 192.168.2.0 network on the other side of the tunnel. Nor can I get from .2 to anything on the .20 network
Traceroutes from the 192.168.2.0 to the working 1 network shows (from 192.168.2.95 to 192.168.1.250):
Tracing route to 192.168.1.250 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.2.253
2 35 ms 37 ms 36 ms 192.168.1.28
3 37 ms 36 ms 37 ms 192.168.1.250
Trace complete.
Traceroutes from the 192.168.2.0 to the new 20 network show (from 192.168.2.95 to 192.168.20.53):
Tracing route to 192.168.20.53 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.2.253
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
I have added static route to the 90E, I thought that would fix the problem. However, all I can do is tell it that the endpoint is the tunnel, not the router on the other end (192.168.1.2)
Any help would be appreciated.
Thanks again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you configure a set of tunnel interface IPs on both ends of the tunnel? Just need to point the static route for .20.0/24 to the remote-ip (as gateway) and specify the tunnel name (as device).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure that the distance is SHORTER than that of the default gateway. Leave it at 10 and you'll get nowhere, usually.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lowered it, but it made no difference.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Distance 10 shouldn't become a problem unless there is the same prefix/length existing in the routing-table.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What does your routing table look like?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the tunnel phase1-name is "tun1" and the remote-ip is 10.0.0.2 like below, you can configure a static route like below.
config system interface
edit tun1
set ip 10.0.0.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.0.0.2 255.255.255.255
set interface "wan1"
next
end
config router static
edit 0
set dst 192.168.20.0 255.255.255.0
set gateway 10.0.0.2
set device "tun1"
next
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The tunnel exists and works to and from 192.168.1.0 to 192.168.2.0. The issue is adding the 192.168.20.0 route. The only option when creating a static route is to tell the FortGate to send the traffic for 192.168.20.0 to the tunnel. I would think I need to tell it to send the traffic to 192.168.1.2 (The Cisco)
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just adding to this.
config router static edit 1 set gateway 12.43.15.225 set device "wan2" next edit 2 set gateway 14.100.22.65 set device "wan1" next edit 3 set dst 192.168.1.0 255.255.255.0 set device "To_HQ" set comment "VPN: To_HQ (Created by VPN wizard)" next edit 4 set dst 192.168.1.0 255.255.255.0 set device "To_HQ_WAN2" set comment "VPN: To_HQ_WAN2 (Created by VPN wizard)" next edit 5 set dst 192.168.1.0 255.255.255.0 set device "To_REM2_HQ1" set comment "VPN: To_REM2_HQ1 (Created by VPN wizard)" next edit 6 set dst 192.168.1.0 255.255.255.0 set device "To_REM2_HQ2" set comment "VPN: To_REM2_HQ2 (Created by VPN wizard)" next edit 7 set dst 192.168.20.0 255.255.255.0 set distance 5 set device "To_HQ_WAN2" next end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FGT90E4Q17002511 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default
S* 0.0.0.0/0 [10/0] via 14.100.22.65, wan1 C 14.100.22.64/28 is directly connected, wan1 S 192.168.1.0/24 [10/0] is directly connected, To_HQ_WAN2 C 192.168.2.0/24 is directly connected, internal S 192.168.20.0/24 [5/0] is directly connected, To_HQ_WAN2