With other network vendors I can override a local interface by using a longer bit match for the prefix/mask.
Say I have 172.16.0.0/24 and 172.16.1.0/24 at site 1 but I want to reach 172.16.0.10/32 at site 2 from 172.16.1.0/24 over the VPN tunnel. I can create the specific host route and create a /32 phase 2 SA. The problem I am seeing is that the /32 does not override a locally configured interface with a shorter mask length. Even if I disable site 1s 172.16.0.0/24 interface, nothing will route over the tunnel. If I change the address on the site 1 interface to something not in that range then it works. At the very least I would expect that disabling the site 1 interface would allow me to route over the VPN to site 2.
This is on 6.2.7
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I didn't know the answer so I tested it myself. It's working in my environment. I borrowed one of available IPs from my /28 LAN and placed the /32 as a loopback interface on the opposite side of the IPsec tunnel. Then pinged from 3 sources:
1) the FGT itself (picks up the tunnel interface IP for the source)
2) coming from other interface (wifi)
3) coming from the /28 subnet
all got through the tunnel (I was sniffing on both sides of the tunnel). My local FGT is FG50E 6.2.7.
I should try running "flow debug" to see how your FGT is handling the packets.
Weird. I will have to try again in a lab environment. I ended up using overlapping NAT.
Yes longest match should always win
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.