Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ringo
New Contributor

IPsec VPNs ALWAYS route hop through DMZ interface IP Address ?

Firewall : 60D with wifi

firmware : V5.2.3 Build670 (GA)

Operation mode : NAT

IPSEC VPN dhcp IP client Range: 192.168.60.10 - 192.168.60.20

VPN Client only can access the IP 192.168.10.70 (NAS)

 

symptom

When VPN Client trying to trace route 192.168.10.70

The first hop is ALWAYS the IP address of the FortiGate' s DMZ interface, even though I have the FortiGate' s DMZ interface administratively down.

 

When i change the DMZ IP and trace route again, the first hop IP will be change accordingly.

When I change the DMZ IP to 0.0.0.0/0.0.0.0 and trace route again, the first hop IP will be change WAN-1 Interface IP (Internet IP)

 

why the first hop IP not the gateway ip ? how can i fix this problem

 

thanks

 

Ringo

 

2 REPLIES 2
idirim
New Contributor

any updates on the topic ?

im having the same issue on ipsec site-to-site vpn tunnel ( fgt60d 5.2.6)

ede_pfau

AFAIK the problem occurs because the IPsec tunnel is unnumbered, i.e. the tunnel interfaces do not have IP addresses by default. FortiOS will then choose the "next" interface where the sequence is not readily apparent from the GUI.

You can try to assign IP addresses to the tunnel ends, although only in the CLI.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors