Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CHAMPE
New Contributor

Created on ‎02-12-2024 08:10 AM

PUBLIC IP AS A PHASE 2 SELECTOR IN IPSEC VPN

Hello everyone...

 

I'm supporting a client for an ipsec vpn setup..I have configured everything right.the tunnel is up both phase 1 and phase 2...I have  done the necessary routing and policies and everything looks fine 

 

The remote addresses on the phase 2 selectors are public IP addresses..the traffic destined for this remote address hits the LAN TO WAN policy despite the ingress and egress policies matching the tunnel being at the top of the policy chart...I decided to update the administrative distance for the vpn static routes to a lesser one but this didn't do the trick

Has anyone ever come across this scenario ? And how did you work around it ..I'm running firmware version 7.0.13

 

 

Labels:
1671
0 Kudos
29 REPLIES 29
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎02-12-2024 09:45 AM

Unless some users/sources need to go through the tunnel while the others go over the internet.

506
CHAMPE
New Contributor
In response to Toshi_Esumi

Created on ‎02-12-2024 09:52 AM

Done

 

But still no traffic even after initiating from my end

504
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to CHAMPE

Created on ‎02-12-2024 09:56 AM

I'm assuming you took care of three things 1) routing, you just did, 2) set of policies, and 3) phase2 network selectors for the subnet.
Then you need to run flow debug to find out where and why the traffic is going or dropped.
https://docs.fortinet.com/document/fortigate/7.2.7/administration-guide/38044

Toshi

501
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎02-12-2024 09:58 AM

Probably CLI method is easier than GUI.
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/54688/debugging-the-packet-flow

498
CHAMPE
New Contributor
In response to Toshi_Esumi

Created on ‎02-12-2024 09:59 AM

Traffic isn't dropped anywhere..it's just going out using the wrong interface , the sdwan zon3

498
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to CHAMPE

Created on ‎02-12-2024 10:01 AM Edited on ‎02-12-2024 10:17 AM

You never mentioned about SD-WAN until now. It must be your rule setting is not allowing or preferring the path. You need to share the SD-WAN config with others. I'm not an expert of SD-WAN but others should be able to reply.

Toshi

494
AEK
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎02-12-2024 10:04 AM

Policy route has precedence over SD-WAN. So there must be something wrong with your policy routes.

Can you confirm you have policy routes only for the tunnel, not for SD-WAN?

Can you share a screenshot of your policy route?

AEK
AEK
486
CHAMPE
New Contributor
In response to AEK

Created on ‎02-12-2024 10:18 AM

I used the sd wan interface i configured on ipsec tunnel as the outgoing interface on the policy route

For the incoming policy; i set source as the remote address I would like to access,then destination as my local address

For the outgoing, I have my source as my local address destination as remote address.

469
0 Kudos
CHAMPE
New Contributor
In response to CHAMPE

Created on ‎02-12-2024 10:22 AM

Correction

I set the ipsec tunnel as the outgoing interface and not the sd wan member interface

467
0 Kudos
AEK
SuperUser
SuperUser
In response to CHAMPE

Created on ‎02-12-2024 10:45 AM

Can you share the following:

  • Screenshot of Policy Routes summary
  • Screenshot of each policy route details
  • diag sniffer of the related traffic while you are pinging the destination from your LAN

You can hide any confidential address on the shared screenshots.

AEK
AEK
462
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.