Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pierrec
New Contributor II

Created on ‎01-25-2022 10:19 AM

Policy routing configuration

Hi,

I'm using a Fortigate 1500D with VDOMs in 6.0.14.

Here is my network topology :

pierrec_1-1643133596706.png

Initialy, there is only N2 and N3 communicating with a static route on my firewall by R1 and R2.

My goal here is to add N1 which has to communicate with N3 using IPSEC connection over internet.

To do so I first tried to use policy routing through IPSEC using this CB which didn't worked.

Then I tried applying policy routing between N2 and N3 so that I could use static route for the IPSEC routing.

It only worked half way.

Here is my policy routing configuration :

pierrec_2-1643134268211.png

When I'm pinging from N2 to N3 it's OK but on the other half, it's impossible to ping from N3 to N2.

Packets arrives to the firewall by R1 but the firewall isn't routing them. Here is a packet capture from the interface between the firewall and R1 :

pierrec_3-1643134629854.png

Nothing is comming on the packet capture on N2.

What am I missing here ?

Labels:
2430
0 Kudos
1 Solution
pierrec
New Contributor II
In response to Toshi_Esumi

Created on ‎01-27-2022 07:52 AM Edited on ‎01-27-2022 07:52 AM

Tested today, it worked :D

Final configuration on the firewall :

  • First configure IPSEC with remote IP address like on this KB
  • Configure one route to N3 using IPSEC GW with weight of 10
  • Configure one route to N3 using R1 GW with weight of 10
  • Configure one policy route for N1 -> N3 using IPSEC GW
  • Configure one policy route for N2 -> N3 using R1 GW

 

Thank you for the HELP !!

View solution in original post

2383
0 Kudos
7 REPLIES 7
AlexC-FTNT
Staff
Staff

Created on ‎01-26-2022 04:16 AM Edited on ‎01-26-2022 04:17 AM

It seems that the problem is on R3.

If N2 > N3 is ok, it means the packet is routed back by R3 the way it came (from IPSEC).

if N3 > N2 is not ok, and traffic arrives from R1, it means that R3 is routing according to routing table (to R1, not through IPSEC) 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
2381
0 Kudos
pierrec
New Contributor II
In response to AlexC-FTNT

Created on ‎01-26-2022 08:36 AM

There is no R3 in the topology, N2 and N3 have to communicate by the link beetwin R1 and R2 and N1 and N3 have to communicate through IPSEC.

When policy routing is enabled, I can communicate from N2 to N3 but on the opposite, beetwin N3 an N2, ping packets get no responses from the firewall.

It's like the firewall has forgot about N2 beeing a directly connected network.

I tried using a "stop policy routing" policy on the firewall for any packets that were comming from the interface beetwin the firewall and R1 but it did nothing.

2367
0 Kudos
pierrec
New Contributor II

Created on ‎01-26-2022 05:15 AM Edited on ‎01-26-2022 08:36 AM

cancel

2376
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎01-26-2022 08:11 AM

Is your intention below?

N2<->FGT<->R1<->R2<->N3

N1<->FGT<-(IPSec)->R2<->N3

If so, the FGT needs to have a parallel routes for N3 subnet toward both R1 and IPSec in addition to the policy routes. The "priority" can be different through if static routes.

And R2 needs to have policy routes too for the reverse direction. FGT doesn't accept asymetric routes like going out IPsec and comeing back rom R1. So R2 needs to make them symmetric.

 

Toshi

2370
pierrec
New Contributor II
In response to Toshi_Esumi

Created on ‎01-26-2022 08:35 AM

Yes this is my intention

@Toshi_Esumi wrote:

If so, the FGT needs to have a parallel routes for N3 subnet toward both R1 and IPSec in addition to the policy routes. The "priority" can be different through if static routes.

So policy routes do not replace static routes but indicate which static route stream should uses whatever the weight ?

 

And R2 needs to have policy routes too for the reverse direction. FGT doesn't accept asymetric routes like going out IPsec and comeing back rom R1. So R2 needs to make them symmetric.

On the other side this is way simplier, I can just have one route to N2 by R2 and one route to N1 by IPSEC since the destination isn't the same.

2367
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to pierrec

Created on ‎01-26-2022 10:13 AM

Correct. To be a candidate of policy-route "steering", there needs to be a proper/allowing route in RIB.

2373
0 Kudos
pierrec
New Contributor II
In response to Toshi_Esumi

Created on ‎01-27-2022 07:52 AM Edited on ‎01-27-2022 07:52 AM

Tested today, it worked :D

Final configuration on the firewall :

  • First configure IPSEC with remote IP address like on this KB
  • Configure one route to N3 using IPSEC GW with weight of 10
  • Configure one route to N3 using R1 GW with weight of 10
  • Configure one policy route for N1 -> N3 using IPSEC GW
  • Configure one policy route for N2 -> N3 using R1 GW

 

Thank you for the HELP !!

2384
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.