IPsec VPNs ALWAYS route hop through DMZ interface IP Address ?

Ringo · ‎01-25-2016

Firewall : 60D with wifi

firmware : V5.2.3 Build670 (GA)

Operation mode : NAT

IPSEC VPN dhcp IP client Range: 192.168.60.10 - 192.168.60.20

VPN Client only can access the IP 192.168.10.70 (NAS)

symptom

When VPN Client trying to trace route 192.168.10.70

The first hop is ALWAYS the IP address of the FortiGate' s DMZ interface, even though I have the FortiGate' s DMZ interface administratively down.

When i change the DMZ IP and trace route again, the first hop IP will be change accordingly.

When I change the DMZ IP to 0.0.0.0/0.0.0.0 and trace route again, the first hop IP will be change WAN-1 Interface IP (Internet IP)

why the first hop IP not the gateway ip ? how can i fix this problem

thanks

Ringo

idirim · ‎03-17-2016

any updates on the topic ?

im having the same issue on ipsec site-to-site vpn tunnel ( fgt60d 5.2.6)

ede_pfau · ‎03-18-2016

AFAIK the problem occurs because the IPsec tunnel is unnumbered, i.e. the tunnel interfaces do not have IP addresses by default. FortiOS will then choose the "next" interface where the sequence is not readily apparent from the GUI.

You can try to assign IP addresses to the tunnel ends, although only in the CLI.

Ede Kernel panic: Aiee, killing interrupt handler!

IPsec VPNs ALWAYS route hop through DMZ interface IP Address ?

Nominate a Forum Post for Knowledge Article Creation