First off network architecture explanation.
Two sites exist one in a colo in atlanta with a public range, And my house where a fortigate 60F exists on the latest firmware.
An ipsec tunnel exists between the two sites and routes are exchanged via OSPF.
Colo site has given me a /29 of public ip addresses and are routing them over the ipsec tunnel to me.
However I have a default route out my own wan and the return traffic coming to these public IPs must go back out the ipsec tunnel.
I have assigned this public range to a vlan interface so it can go down into my lan for servers.
I want all traffic sourced from this vlan interface to go out the ipsec tunnel interface.
However since this is a session based firewall I suspect I am in a split horizon routing scenario at present and the policy route I put in place was getting hit but when running a diagnostic it shows pings being dropped due to no return route being found.
Quite confused and could use some help thanks in advance!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello, you can see below kb for policy base routing configuration:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...
Further is you are seeing no return route which simply means traffic is not returning back from expected interface. Most probably it will be a routing issue.
I suggest running a debug flow and a packet sniffer to verify if the traffic is hitting your PBR rule, also make sure to turn off the offloading at the policy level to see them when you're debugging:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
https://docs.fortinet.com/document/fortigate/7.4.3/hardware-acceleration/392369/disabling-np-offload...
Why do you need a policy route? Your DC have a /29 public subnet that you need to route over the IPSec tunnel from your FGT while your general internet goes out through wan1 interface, right? Then you just need to set a static route for the /29 toward the tunnel interface with a static route. If it's OSFP, it should have been automatically taken care of.
Of course you have to adjust phase2 selector to allow the /29 destined traffic to the other side of the tunnel if the current selector is not 0/0<->0/0, But I assume you've already know that very well while you're handling other IPSecs.
I think you're overthinking.
Toshi
Hi @bebab,
I don't quite understand your network architecture. Why are you assigning public range to your VLAN interface? Can you provide a network diagram?
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1516 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.