Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor II

Longest Match Routing

With other network vendors I can override a local interface by using a longer bit match for the prefix/mask. 

 

Say I have 172.16.0.0/24 and 172.16.1.0/24 at site 1 but I want to reach 172.16.0.10/32 at site 2 from 172.16.1.0/24 over the VPN tunnel. I can create the specific host route and create a /32 phase 2 SA.  The problem I am seeing is that the /32 does not override a locally configured interface with a shorter mask length. Even if I disable site 1s 172.16.0.0/24 interface, nothing will route over the tunnel. If I change the address on the site 1 interface to something not in that range then it works.  At the very least I would expect that disabling the site 1 interface would allow me to route over the VPN to site 2. 

 

This is on 6.2.7

3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

I didn't know the answer so I tested it myself. It's working in my environment. I borrowed one of available IPs from my /28 LAN and placed the /32 as a loopback interface on the opposite side of the IPsec tunnel. Then pinged from 3 sources:

1) the FGT itself (picks up the tunnel interface IP for the source)

2) coming from other interface (wifi)

3) coming from the /28 subnet

all got through the tunnel (I was sniffing on both sides of the tunnel). My local FGT is FG50E 6.2.7.

I should try running "flow debug" to see how your FGT is handling the packets.

aguerriero
Contributor II

Weird. I will have to try again in a lab environment. I ended up using overlapping NAT.

emnoc
Esteemed Contributor III

Yes longest match should always win 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors