Hi,
I have small issue,
Imaging you have a IPSEC tunnel in interface mode.
Before the tunnel is up, someone pings an IP on the other side, and because the tunnel is not yet up, the default route sends it to wan1 (Internet), no answer of course.
Then the tunnel comes up and populates the routing table, but still the pings are sent to WAN1 because the session is already established with WAN1, is there a way to re-evaluate the sessions when something happens in the routing table ?
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Remember that the default route will only be used (or of concern) if you do not have any information about the destination network. That is not the case with VPN proteced networks - usually (99.9%) they use an IP range from RFC 1918.
I am using blackhole routes for some time now to prevent VPN-internal traffic to follow the default route.
For convenience, I attach the 'blackhole routes all RFC1918.bcmd' file. It creates bh routes for all private networks which are listed in RFC1918. Running the script will not overwrite any existing routes or override them. Just in case there is no matching route the bh route will kick in.
(I have to rename the script to bla.bcmd.txt to be able to upload it...)
In System > Config > Advanced, load the above script from my post. It will install black hole routes for all private (RFC1918) networks, like 192.168.x.y., 172.16.a.b, 10.p.q.r etc.
How it works:
While a route-based VPN has the tunnel up, it's route will be used. If the tunnel goes down (for whatever reason) the black hole route will be used (it's distance is higher than any useable real route - 254). This will discard tunnel traffic - no data will leak via the WAN interface and no session will be created. When the tunnel is renegotiated it's route can be installed immediately, with no delay, and a session established.
These black hole routes cannot do any harm; you can leave them installed. In fact, they should be part of the default configuration (factoryreset)...there cannot be any route for one of these networks which is less important.
I never seen that behavior but the forward route table should send packet if the route exists. BCPs from fortinet suggest for route-based vpns, that you install a 2nd blackhole route for this exact reason and to keep leakage at bay
i.e
route#1 VPN-Tunnel admin dist 1
route#2 blackhole admin dist 250
PCNSE
NSE
StrongSwan
I agree on the security aspect,
However, my main concern is that the traffic is not routed to the right destination. I have seen this behavior on and off since FortiOS 3.0. I can probably fix it by using policy based routing, but that´s not a good solution in the end.
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Maybe something with route-maps?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Clear text session can't be re-evaluated to tunnel interface. I am not sure what is coding level challange/logic but this is the case.
This is also the same case with Juniper Netscreen/SRX.
As emnoc mentioned we need to create a blackhole route with higher AD than vpn route for these two advantage:
1) Security aspect
2) There will be no session created when the vpn is down ( so no session with wrong interface and no need or session re-evaluation)
As soon as the vpn route comes up correct session will be created (as vpn route will be preferred over blackhole route)
ashukla wrote:Clear text session can't be re-evaluated to tunnel interface. I am not sure what is coding level challange/logic but this is the case.
This is also the same case with Juniper Netscreen/SRX.
As emnoc mentioned we need to create a blackhole route with higher AD than vpn route for these two advantage:
1) Security aspect
2) There will be no session created when the vpn is down ( so no session with wrong interface and no need or session re-evaluation)
As soon as the vpn route comes up correct session will be created (as vpn route will be preferred over blackhole route)
Ok, thank you, so I guess I need to:
1. Increase "Distance" for my 0.0.0.0 route to let´s say 100
2. Set a blackhole routing for x.x.x.x to let´s say 99
3. Leave the distance for my VPN net x.x.x.x to 10 (default).
This way the session will be caught at the blackhole routing when the vpn is down and it won´t reach my default route as it has a higher distance ?
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Selective wrote:ashukla wrote:Clear text session can't be re-evaluated to tunnel interface. I am not sure what is coding level challange/logic but this is the case.
This is also the same case with Juniper Netscreen/SRX.
As emnoc mentioned we need to create a blackhole route with higher AD than vpn route for these two advantage:
1) Security aspect
2) There will be no session created when the vpn is down ( so no session with wrong interface and no need or session re-evaluation)
As soon as the vpn route comes up correct session will be created (as vpn route will be preferred over blackhole route)
Ok, thank you, so I guess I need to:
1. Increase "Distance" for my 0.0.0.0 route to let´s say 100
2. Set a blackhole routing for x.x.x.x to let´s say 99
3. Leave the distance for my VPN net x.x.x.x to 10 (default).
This way the session will be caught at the blackhole routing when the vpn is down and it won´t reach my default route as it has a higher distance ?
In route lookup prefix match happens first and prefix will be same for vpn and blackhole route so we need to make sure that vpn route has lower distance that blackhole route.
So for vpn traffic either of the two routes will match anytime, so you don't need to do any AD change in default route.
Ok, I´ll leave the default route as 10 then.
Let me try this and get back to you.
Thank you!
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Remember that the default route will only be used (or of concern) if you do not have any information about the destination network. That is not the case with VPN proteced networks - usually (99.9%) they use an IP range from RFC 1918.
I am using blackhole routes for some time now to prevent VPN-internal traffic to follow the default route.
For convenience, I attach the 'blackhole routes all RFC1918.bcmd' file. It creates bh routes for all private networks which are listed in RFC1918. Running the script will not overwrite any existing routes or override them. Just in case there is no matching route the bh route will kick in.
(I have to rename the script to bla.bcmd.txt to be able to upload it...)
ede_pfau...I cannot thank you enough.... Our Problem: RDP connections over dialup IPsec tunnels (Forticlient-Fortigate) disconnecting Your post here and your explanations solved a major problem for our company. Trying to work remotely and to establish a lot of Dialup IPsec VPN connections (Forticlient-Fortigate) we have discovered that each time someone connected or disconnected a VPN dialup tunnel, all the other RDP sessions were disconnected and then reconnected in a few seconds. Enough however to mess up all the screens and windows. Not to mention the annoyance of getting that every minute or so. I would have never guessed that a missing route may be the cause of all this. We suspected the internet connections, the congestions and whatever else we could think of, except routes. IMO that should not have been the default behaviour of Fortigate firewalls and these routes should have been implicit. Many thanks again ! All the best !
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1522 | |
1020 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.