Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Carl_Wallmark
Valued Contributor

Re-evaluate sessions

Hi,

 

I have small issue,

 

Imaging you have a IPSEC tunnel in interface mode.

 

Before the tunnel is up, someone pings an IP on the other side, and because the tunnel is not yet up, the default route sends it to wan1 (Internet), no answer of course.

 

Then the tunnel comes up and populates the routing table, but still the pings are sent to WAN1 because the session is already established with WAN1, is there a way to re-evaluate the sessions when something happens in the routing table ?

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
2 Solutions
ede_pfau
Esteemed Contributor III

Remember that the default route will only be used (or of concern) if you do not have any information about the destination network. That is not the case with VPN proteced networks - usually (99.9%) they use an IP range from RFC 1918.

 

I am using blackhole routes for some time now to prevent VPN-internal traffic to follow the default route.

For convenience, I attach the 'blackhole routes all RFC1918.bcmd' file. It creates bh routes for all private networks which are listed in RFC1918. Running the script will not overwrite any existing routes or override them. Just in case there is no matching route the bh route will kick in.

 

(I have to rename the script to bla.bcmd.txt to be able to upload it...)


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
ede_pfau
Esteemed Contributor III

In System > Config > Advanced, load the above script from my post. It will install black hole routes for all private (RFC1918) networks, like 192.168.x.y., 172.16.a.b, 10.p.q.r etc.

 

How it works:

While a route-based VPN has the tunnel up, it's route will be used. If the tunnel goes down (for whatever reason) the black hole route will be used (it's distance is higher than any useable real route - 254). This will discard tunnel traffic - no data will leak via the WAN interface and no session will be created. When the tunnel is renegotiated it's route can be installed immediately, with no delay, and a session established.

 

These black hole routes cannot do any harm; you can leave them installed. In fact, they should be part of the default configuration (factoryreset)...there cannot be any route for one of these networks which is less important.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
17 REPLIES 17
emnoc
Esteemed Contributor III

I never seen that behavior but the forward route table should send packet if the route exists. BCPs from fortinet suggest for route-based vpns, that you install a 2nd blackhole route for this exact reason and to keep leakage at bay

 

i.e

 

route#1 VPN-Tunnel admin dist 1

route#2  blackhole admin dist 250

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Carl_Wallmark
Valued Contributor

I agree on the security aspect,

 

However, my main concern is that the traffic is not routed to the right destination. I have seen this behavior on and off since FortiOS 3.0. I can probably fix it by using policy based routing, but that´s not a good solution in the end.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Dave_Hall

Maybe something with route-maps? 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
ashukla_FTNT
Staff
Staff

Clear text session can't be re-evaluated to tunnel interface. I am not sure what is coding level challange/logic but this is the case.

This is also the same case with Juniper Netscreen/SRX.

 

As emnoc mentioned we need to create a blackhole route with higher AD than vpn route for these two advantage:

1) Security aspect 

2) There will be no session created when the vpn is down ( so no session with wrong interface and no need or session re-evaluation)

 

As soon as the vpn route comes up correct session will be created (as vpn route will be preferred over blackhole route)

 

Carl_Wallmark

ashukla wrote:

Clear text session can't be re-evaluated to tunnel interface. I am not sure what is coding level challange/logic but this is the case.

This is also the same case with Juniper Netscreen/SRX.

 

As emnoc mentioned we need to create a blackhole route with higher AD than vpn route for these two advantage:

1) Security aspect 

2) There will be no session created when the vpn is down ( so no session with wrong interface and no need or session re-evaluation)

 

As soon as the vpn route comes up correct session will be created (as vpn route will be preferred over blackhole route)

 

Ok, thank you, so I guess I need to:

 

1. Increase "Distance" for my 0.0.0.0 route to let´s say 100

2. Set a blackhole routing for x.x.x.x to let´s say 99

3. Leave the distance for my VPN net x.x.x.x to 10 (default).

 

This way the session will be caught at the blackhole routing when the vpn is down and it won´t reach my default route as it has a higher distance ?

 

 

 

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
ashukla_FTNT

Selective wrote:

ashukla wrote:

Clear text session can't be re-evaluated to tunnel interface. I am not sure what is coding level challange/logic but this is the case.

This is also the same case with Juniper Netscreen/SRX.

 

As emnoc mentioned we need to create a blackhole route with higher AD than vpn route for these two advantage:

1) Security aspect 

2) There will be no session created when the vpn is down ( so no session with wrong interface and no need or session re-evaluation)

 

As soon as the vpn route comes up correct session will be created (as vpn route will be preferred over blackhole route)

 

Ok, thank you, so I guess I need to:

 

1. Increase "Distance" for my 0.0.0.0 route to let´s say 100

2. Set a blackhole routing for x.x.x.x to let´s say 99

3. Leave the distance for my VPN net x.x.x.x to 10 (default).

 

This way the session will be caught at the blackhole routing when the vpn is down and it won´t reach my default route as it has a higher distance ?

 

In route lookup prefix match happens first and prefix will be same for vpn and blackhole route so we need to make sure that vpn route has lower distance that blackhole route. 

So for vpn traffic either of the two routes will match anytime, so you don't need to do any AD change in default route.

 

 

Carl_Wallmark
Valued Contributor

Ok, I´ll leave the default route as 10 then.

 

Let me try this and get back to you.

 

Thank you!

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
ede_pfau
Esteemed Contributor III

Remember that the default route will only be used (or of concern) if you do not have any information about the destination network. That is not the case with VPN proteced networks - usually (99.9%) they use an IP range from RFC 1918.

 

I am using blackhole routes for some time now to prevent VPN-internal traffic to follow the default route.

For convenience, I attach the 'blackhole routes all RFC1918.bcmd' file. It creates bh routes for all private networks which are listed in RFC1918. Running the script will not overwrite any existing routes or override them. Just in case there is no matching route the bh route will kick in.

 

(I have to rename the script to bla.bcmd.txt to be able to upload it...)


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
bogdan_grigorovici

ede_pfau...I cannot thank you enough.... Our Problem: RDP connections over dialup IPsec tunnels (Forticlient-Fortigate) disconnecting Your post here and your explanations solved a major problem for our company. Trying to work remotely and to establish a lot of Dialup IPsec VPN connections (Forticlient-Fortigate) we have discovered that each time someone connected or disconnected a VPN dialup tunnel, all the other RDP sessions were disconnected and then reconnected in a few seconds. Enough however to mess up all the screens and windows. Not to mention the annoyance of getting that every minute or so. I would have never guessed that a missing route may be the cause of all this. We suspected the internet connections, the congestions and whatever else we could think of, except routes. IMO that should not have been the default behaviour of Fortigate firewalls and these routes should have been implicit. Many thanks again ! All the best !

Top Kudoed Authors