IPSec tunnel, not routing

zmag · ‎04-19-2011

I have a new IPSec tunnel and I have control over both ends of it. Local - FG60B 4.0 MR3 Remote - FG60C 4.0 MR1 The tunnel shows successful P1 and P2, but no successful pings. My first step was to tracert to a remote host. The tracert went to the firewall as expected but then it went out the default gateway not the virtual interface bound to the tunnel. the route states : destination = 10.154.154.0/24 device = rmg_dev (virtual interface) I think that just having this route should force traffic to the virtual interface, even if the tunnel was down, so why would traffic continue to gateway of last resort?

rwpatterson · ‎04-19-2011

If you use interface tunnels, you then also need a static route for the remote end traffic.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

zmag · ‎04-19-2011

That' s the route I have. The remote network is 10.154.154.0/24 Tracing route to 10.154.154.14 over a maximum of 30 hops 1 2 ms 2 ms 3 ms 192.168.32.1 2 6 ms 1 ms 1 ms 172.16.32.1 3 1 ms 1 ms 1 ms chicrt1.mydomain.com [192.168.40.1] 4 1 ms 1 ms 1 ms 192.168.40.100 << My Firewall 5 2 ms 2 ms 2 ms hge14-1.hge.net [216.19.237.1] << my default gtwy 6 3 ms 2 ms 2 ms hge12-1.hge.net [216.19.235.1] 7 2 ms 2 ms 2 ms 216.19.226.250 8 5 ms 4 ms 5 ms vlan187.car1.boston1.level3.net [4.53.49.197] 9 * * ^C Tracing route to 10.154.154.14 over a maximum of 30 hops

ede_pfau · ‎04-19-2011

I see that you have the static route to the VPN interface configured. But traceroute clearly shows that the route is not active - what do you see in the Routing Monitor? VPN traffic going out the WAN port can only happen if the tunnel is down, and thus the route is deleted. In the CLI, the routing monitor is given by

 get router info routing-table all

Ede

"Kernel panic: Aiee, killing interrupt handler!"

zmag · ‎04-19-2011

There is no reference to the route in the monitor. It does seem that the tunnel is down but in the analyzer I see P2 and P2 successful. Thanks for the reply.

ede_pfau · ‎04-19-2011

Can you check the tunnel status on (one of) the FGT? VPN>IPSec>Monitor.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

zmag · ‎04-19-2011

tunnel is up, i bounced it, comes right back with the same results. Both sides show the tunnel is up. For the sake of troubleshooting I removed all but one quick mode selector with one host on each side, also changed the policies to reflect one host on each side. Also (for what its worth) I upgraded the firmware on the remote side (60B) to MR3.

ede_pfau · ‎04-19-2011

creating and tearing down a tunnel MUST insert/delete the corresponding static route in the Routing Monitor. The QM selectors only determine who is able to trigger the negotiations so here they don' t matter. IMHO be cautious to upgrade to a different major version. Would be wise to find the root cause and not explore all the little things that have changed between 4.2 and 4.3... And you can bet that IPSec VPN funtionality does work in any FortiOS version, or else Fortinet would get a lot of support calls. Please post the routing table when the tunnel is up, and the static route definition. Maybe it' s just a typo.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

zmag · ‎04-19-2011

I may have just found something. One the remote side, 60B MR3, >System >Network > Interface > there is an option for switch mode management, it is set to " Switch Mode" pretty sure that should be " Interface Mode" . I' ll download to Manual for this 60B (dev)

ede_pfau · ‎04-19-2011

Nope. The internal ports of the 60B can be combined into ONE switch interface or be split into several independent ports. Your issue doesn' t deal with physical ports at all but virtual VPN interfaces. And routes.

Ede

"Kernel panic: Aiee, killing interrupt handler!"