Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CHAMPE
New Contributor

PUBLIC IP AS A PHASE 2 SELECTOR IN IPSEC VPN

Hello everyone...

 

I'm supporting a client for an ipsec vpn setup..I have configured everything right.the tunnel is up both phase 1 and phase 2...I have  done the necessary routing and policies and everything looks fine 

 

The remote addresses on the phase 2 selectors are public IP addresses..the traffic destined for this remote address hits the LAN TO WAN policy despite the ingress and egress policies matching the tunnel being at the top of the policy chart...I decided to update the administrative distance for the vpn static routes to a lesser one but this didn't do the trick

Has anyone ever come across this scenario ? And how did you work around it ..I'm running firmware version 7.0.13

 

 

29 REPLIES 29
Toshi_Esumi
Esteemed Contributor III

Unless some users/sources need to go through the tunnel while the others go over the internet.

CHAMPE

Done

 

But still no traffic even after initiating from my end

Toshi_Esumi
Esteemed Contributor III

I'm assuming you took care of three things 1) routing, you just did, 2) set of policies, and 3) phase2 network selectors for the subnet.
Then you need to run flow debug to find out where and why the traffic is going or dropped.
https://docs.fortinet.com/document/fortigate/7.2.7/administration-guide/38044

Toshi

Toshi_Esumi
Esteemed Contributor III

CHAMPE

Traffic isn't dropped anywhere..it's just going out using the wrong interface , the sdwan zon3

Toshi_Esumi
Esteemed Contributor III

You never mentioned about SD-WAN until now. It must be your rule setting is not allowing or preferring the path. You need to share the SD-WAN config with others. I'm not an expert of SD-WAN but others should be able to reply.

Toshi

AEK
Honored Contributor

Policy route has precedence over SD-WAN. So there must be something wrong with your policy routes.

Can you confirm you have policy routes only for the tunnel, not for SD-WAN?

Can you share a screenshot of your policy route?

AEK
AEK
CHAMPE
New Contributor

I used the sd wan interface i configured on ipsec tunnel as the outgoing interface on the policy route

For the incoming policy; i set source as the remote address I would like to access,then destination as my local address

For the outgoing, I have my source as my local address destination as remote address.

CHAMPE
New Contributor

Correction

I set the ipsec tunnel as the outgoing interface and not the sd wan member interface

AEK
Honored Contributor

Can you share the following:

  • Screenshot of Policy Routes summary
  • Screenshot of each policy route details
  • diag sniffer of the related traffic while you are pinging the destination from your LAN

You can hide any confidential address on the shared screenshots.

AEK
AEK
Labels
Top Kudoed Authors