Hi,
I'm using a Fortigate 1500D with VDOMs in 6.0.14.
Here is my network topology :
Initialy, there is only N2 and N3 communicating with a static route on my firewall by R1 and R2.
My goal here is to add N1 which has to communicate with N3 using IPSEC connection over internet.
To do so I first tried to use policy routing through IPSEC using this CB which didn't worked.
Then I tried applying policy routing between N2 and N3 so that I could use static route for the IPSEC routing.
It only worked half way.
Here is my policy routing configuration :
When I'm pinging from N2 to N3 it's OK but on the other half, it's impossible to ping from N3 to N2.
Packets arrives to the firewall by R1 but the firewall isn't routing them. Here is a packet capture from the interface between the firewall and R1 :
Nothing is comming on the packet capture on N2.
What am I missing here ?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 01-27-2022 07:52 AM Edited on 01-27-2022 07:52 AM
Tested today, it worked :D
Final configuration on the firewall :
Thank you for the HELP !!
It seems that the problem is on R3.
If N2 > N3 is ok, it means the packet is routed back by R3 the way it came (from IPSEC).
if N3 > N2 is not ok, and traffic arrives from R1, it means that R3 is routing according to routing table (to R1, not through IPSEC)
There is no R3 in the topology, N2 and N3 have to communicate by the link beetwin R1 and R2 and N1 and N3 have to communicate through IPSEC.
When policy routing is enabled, I can communicate from N2 to N3 but on the opposite, beetwin N3 an N2, ping packets get no responses from the firewall.
It's like the firewall has forgot about N2 beeing a directly connected network.
I tried using a "stop policy routing" policy on the firewall for any packets that were comming from the interface beetwin the firewall and R1 but it did nothing.
cancel
Is your intention below?
N2<->FGT<->R1<->R2<->N3
N1<->FGT<-(IPSec)->R2<->N3
If so, the FGT needs to have a parallel routes for N3 subnet toward both R1 and IPSec in addition to the policy routes. The "priority" can be different through if static routes.
And R2 needs to have policy routes too for the reverse direction. FGT doesn't accept asymetric routes like going out IPsec and comeing back rom R1. So R2 needs to make them symmetric.
Toshi
Yes this is my intention
@Toshi_Esumi wrote:If so, the FGT needs to have a parallel routes for N3 subnet toward both R1 and IPSec in addition to the policy routes. The "priority" can be different through if static routes.
So policy routes do not replace static routes but indicate which static route stream should uses whatever the weight ?
And R2 needs to have policy routes too for the reverse direction. FGT doesn't accept asymetric routes like going out IPsec and comeing back rom R1. So R2 needs to make them symmetric.
On the other side this is way simplier, I can just have one route to N2 by R2 and one route to N1 by IPSEC since the destination isn't the same.
Correct. To be a candidate of policy-route "steering", there needs to be a proper/allowing route in RIB.
Created on 01-27-2022 07:52 AM Edited on 01-27-2022 07:52 AM
Tested today, it worked :D
Final configuration on the firewall :
Thank you for the HELP !!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.