Hello everyone...
I'm supporting a client for an ipsec vpn setup..I have configured everything right.the tunnel is up both phase 1 and phase 2...I have done the necessary routing and policies and everything looks fine
The remote addresses on the phase 2 selectors are public IP addresses..the traffic destined for this remote address hits the LAN TO WAN policy despite the ingress and egress policies matching the tunnel being at the top of the policy chart...I decided to update the administrative distance for the vpn static routes to a lesser one but this didn't do the trick
Has anyone ever come across this scenario ? And how did you work around it ..I'm running firmware version 7.0.13
Our local subnet are private ip addresses
Hello
Do you have SD-WAN?
If so, SD-WAN rules have precedence over normal routes. But policy routes have precedence over SD-WAN rules, so you can use a policy route to fix it.
Destination: target pub IP
Outgoing interface: tunnel
Hi AEK
I created two policy routes..one for the incoming and outgoing traffic..I set the source to my local address defined on the tunnel, destination to be the remote addresses and the outgoing interface to be the ipsec interface..
There were no hits...I did pcap but still nothing
What if I use my public IP as my local address and then do a vip to map the public address to the internal server for the incoming traffic then create an ip pool with the public ip address for the outgoing traffic
Do you have the matching specific route for the public IP subnet toward the tunnel interface? Otherwise it wouldn't go into the tunnel.
Toshi
Hi Toshi
I have defined specific static routes to the remote addresses using the tunnel interfaces
You mean you have the specific static route in addition to the policy route for the same public subnet as you replied to @AEK ?
Initially I had the static route..after troubleshooting I disabled the static route and came up with the policy route
No. You can not remove the route. Policy route works only in case a legit route (doesn't have to be exact match but super subnet is fine, such as 0/0 route) exists.
And this case you don't need a policy route.
Toshi
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.