I am trying to setup a new site with a new Fortigate at it and put an IPsec tunnel between it and the parent site. I have done this before but am having what I think are routing issues.
Site 1 - Firewall 1 (300E cluster running 6.2.4)
IP Range - 10.200.0.0/24
Existing firewall running multiple services.
Configured a spare interface with 10.200.0.254/24 and enabled DHCP on that interface
Created a site-to-site IPsec VPN with 10.200.0.0/24 as local subnet and 10.200.1.0/24 as remote. Wizard created all rules and routes etc.
Static route were created by VPN wizard for 10.200.1.0 as follows:
Route 1: Destination (10.200.1.0/24), Interface (VPN Tunnel), Distance (10)
Route 2: Destination (10.200.1.0/24), Interface (Blackhole), Distance (254)
Site 2 - Firewall 2 (100E running 6.4.4 - upgraded from 6.2.7 when I had issues)
IP Range - 10.200.1.0/24
New firewall just for this purpose
Configured a spare interface with 10.200.1.254/25 and enabled DHCP on that interface
Created a site-to-site IPsec VPN with 10.200.1.0/24 as local subnet and 10.200.0.0/24 as remote. Wizard created all rules and routes etc.
Static route were created by VPN wizard for 10.200.0.0 as follows:
Route 1: Destination (10.200.0.0/24), Interface (VPN Tunnel), Distance (10)
Route 2: Destination (10.200.0.0/24), Interface (Blackhole), Distance (254)
I am not able to bring the tunnel up yet so have tested using route lookup and policy lookup to make sure everything is in place for when tunnel is up. Route lookup hits the blackhole so no use. Policy lookup says no route (which is technically true given it all blackholes). I can't understand why the route blackholes though when there is a lower distance route available.
I am sure I am missing something really obvious as I've not done this for a long time. I've checked against other sites with same setup and can't see what I have done wrong, but I am going blind to the setups now a I have stared at them so much.
Thanks for any help in advance.