Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CHAMPE
New Contributor

PUBLIC IP AS A PHASE 2 SELECTOR IN IPSEC VPN

Hello everyone...

 

I'm supporting a client for an ipsec vpn setup..I have configured everything right.the tunnel is up both phase 1 and phase 2...I have  done the necessary routing and policies and everything looks fine 

 

The remote addresses on the phase 2 selectors are public IP addresses..the traffic destined for this remote address hits the LAN TO WAN policy despite the ingress and egress policies matching the tunnel being at the top of the policy chart...I decided to update the administrative distance for the vpn static routes to a lesser one but this didn't do the trick

Has anyone ever come across this scenario ? And how did you work around it ..I'm running firmware version 7.0.13

 

 

29 REPLIES 29
CHAMPE
New Contributor

Our local subnet are private ip addresses 

AEK
SuperUser
SuperUser

Hello

Do you have SD-WAN?

If so, SD-WAN rules have precedence over normal routes. But policy routes have precedence over SD-WAN rules, so you can use a policy route to fix it.

Destination: target pub IP

Outgoing interface: tunnel

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

AEK
AEK
CHAMPE
New Contributor

Hi AEK

 

I created two policy routes..one for the incoming and outgoing traffic..I set the source to my local address defined on the tunnel, destination to be the remote addresses and the outgoing interface to be the ipsec interface..

 

There were no hits...I did pcap but still nothing 

 

What if I use my public IP as my local address and then do a vip to map the public address to the internal server for the incoming traffic then create an ip pool with the public ip address for the outgoing traffic 

AEK

Don't remove the static route, as mentioned by @Toshi_Esumi 

AEK
AEK
Toshi_Esumi
Esteemed Contributor III

Do you have the matching specific route for the public IP subnet toward the tunnel interface? Otherwise it wouldn't go into the tunnel.

Toshi

CHAMPE

Hi Toshi

I have defined specific static routes to the remote addresses using the tunnel interfaces

Toshi_Esumi
Esteemed Contributor III

You mean you have the specific static route in addition to the policy route for the same public subnet as you replied to @AEK ?

CHAMPE

Initially I had the static route..after troubleshooting I disabled the static route and came up with the policy route

Toshi_Esumi
Esteemed Contributor III

No. You can not remove the route. Policy route works only in case a legit route (doesn't have to be exact match but super subnet is fine, such as 0/0 route) exists.
And this case you don't need a policy route.

Toshi

Labels
Top Kudoed Authors