- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interface for site to site VPN
Traceroute for remote address across the VPN showing the incorrect second hop. The second hop is going through the 'mgmt' 'DMZ' 'wifi-controller' interface. This happens because the VPN interface has an IP address of 0.0.0.0 so the FortiGate uses the first interface according to the ifindex number.
Does this matter or what interface should i set it too? i have multiple vlans however I use one vlan for all internal connection traffic.
Solved! Go to Solution.
- Labels:
-
5.2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
When the ipsec-virtual-interface is set to 0.0.0.0 it cannot be used in route table, thats when FGT selects the interface with the highest interface-index in the traceroute hop-count, but that entry in the table doesnot mean that the traffic is routed through that wrong interface that is displayed in the table. If you wish to see the correct vpn interface in the tracert, then you can configure the vpn-interface with an ip-address
Regards Anil Nayak
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sid dawg wrote:Uhm this shouldn't be the case.This happens because the VPN interface has an IP address of 0.0.0.0 so the FortiGate uses the first interface according to the ifindex number.
Even if your interface has an 0.0.0.0/0.0.0.0 IP it shouldn't be in the routing table at all and a static route (or a dynamic route from your ISP) should override it regardless
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't see this behavior on my FGT, and I've never 'numbered' my VPN interfaces.
Check the routing table (Routing > Monitor) for the remote network. Where does the default route point to?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
When the ipsec-virtual-interface is set to 0.0.0.0 it cannot be used in route table, thats when FGT selects the interface with the highest interface-index in the traceroute hop-count, but that entry in the table doesnot mean that the traffic is routed through that wrong interface that is displayed in the table. If you wish to see the correct vpn interface in the tracert, then you can configure the vpn-interface with an ip-address
Regards Anil Nayak