I am trying to setup a new site with a new Fortigate at it and put an IPsec tunnel between it and the parent site. I have done this before but am having what I think are routing issues.
Site 1 - Firewall 1 (300E cluster running 6.2.4) IP Range - 10.200.0.0/24
Existing firewall running multiple services.
Configured a spare interface with 10.200.0.254/24 and enabled DHCP on that interface
Created a site-to-site IPsec VPN with 10.200.0.0/24 as local subnet and 10.200.1.0/24 as remote. Wizard created all rules and routes etc.
Static route were created by VPN wizard for 10.200.1.0 as follows: Route 1: Destination (10.200.1.0/24), Interface (VPN Tunnel), Distance (10) Route 2: Destination (10.200.1.0/24), Interface (Blackhole), Distance (254)
Site 2 - Firewall 2 (100E running 6.4.4 - upgraded from 6.2.7 when I had issues) IP Range - 10.200.1.0/24
New firewall just for this purpose
Configured a spare interface with 10.200.1.254/25 and enabled DHCP on that interface
Created a site-to-site IPsec VPN with 10.200.1.0/24 as local subnet and 10.200.0.0/24 as remote. Wizard created all rules and routes etc.
Static route were created by VPN wizard for 10.200.0.0 as follows:
Route 1: Destination (10.200.0.0/24), Interface (VPN Tunnel), Distance (10) Route 2: Destination (10.200.0.0/24), Interface (Blackhole), Distance (254)
I am not able to bring the tunnel up yet so have tested using route lookup and policy lookup to make sure everything is in place for when tunnel is up. Route lookup hits the blackhole so no use. Policy lookup says no route (which is technically true given it all blackholes). I can't understand why the route blackholes though when there is a lower distance route available.
I am sure I am missing something really obvious as I've not done this for a long time. I've checked against other sites with same setup and can't see what I have done wrong, but I am going blind to the setups now a I have stared at them so much.
Thanks for any help in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
"I am not able to bring the tunnel up yet so have tested using route lookup and policy lookup to make sure everything is in place for when tunnel is up"
So how are you testing? (diag firewall iprope lookup) And what is in the route-table local|remote firewalls?
Ken Felix
PCNSE
NSE
StrongSwan
I just used the "policy lookup" and "route lookup" in the GUI. Simple, but usually matches a route/policy if things work even when the interfaces are down. Doesn't test but does tell me if there is a route or policy out, and in this case it matches the blackhole route and not the actual route.
But if the vpn is down that would be the normal behavior to match the BH rule. That is why I asked. What does your "get router info routing all" show in the local and remote FGT rib ?
Ken Felix
PCNSE
NSE
StrongSwan
I could have sworn that I had done this before and not had to have the interface up, but it was a while ago and I could be remembering incorrectly.
Remote FW routing shows:
S 10.200.0.0/24 [254/0] is a summary, Null
Local FW shows:
S 10.200.1.0/24 [254/0] is a summary, Null
I assume from what you say that the null is because the tunnel is down so there is no "live" route to that subnet.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.