Hello everyone...
I'm supporting a client for an ipsec vpn setup..I have configured everything right.the tunnel is up both phase 1 and phase 2...I have done the necessary routing and policies and everything looks fine
The remote addresses on the phase 2 selectors are public IP addresses..the traffic destined for this remote address hits the LAN TO WAN policy despite the ingress and egress policies matching the tunnel being at the top of the policy chart...I decided to update the administrative distance for the vpn static routes to a lesser one but this didn't do the trick
Has anyone ever come across this scenario ? And how did you work around it ..I'm running firmware version 7.0.13
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Unless some users/sources need to go through the tunnel while the others go over the internet.
Done
But still no traffic even after initiating from my end
I'm assuming you took care of three things 1) routing, you just did, 2) set of policies, and 3) phase2 network selectors for the subnet.
Then you need to run flow debug to find out where and why the traffic is going or dropped.
https://docs.fortinet.com/document/fortigate/7.2.7/administration-guide/38044
Toshi
Probably CLI method is easier than GUI.
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/54688/debugging-the-packet-flow
Traffic isn't dropped anywhere..it's just going out using the wrong interface , the sdwan zon3
Created on 02-12-2024 10:01 AM Edited on 02-12-2024 10:17 AM
You never mentioned about SD-WAN until now. It must be your rule setting is not allowing or preferring the path. You need to share the SD-WAN config with others. I'm not an expert of SD-WAN but others should be able to reply.
Toshi
Policy route has precedence over SD-WAN. So there must be something wrong with your policy routes.
Can you confirm you have policy routes only for the tunnel, not for SD-WAN?
Can you share a screenshot of your policy route?
I used the sd wan interface i configured on ipsec tunnel as the outgoing interface on the policy route
For the incoming policy; i set source as the remote address I would like to access,then destination as my local address
For the outgoing, I have my source as my local address destination as remote address.
Correction
I set the ipsec tunnel as the outgoing interface and not the sd wan member interface
Can you share the following:
You can hide any confidential address on the shared screenshots.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1721 | |
1098 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.