Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jirka1
Contributor III

Created on ‎09-03-2017 09:18 AM

Route Base VPN problem

Hello, I'm trying to set site 2 site IPsec VPN site between 60E and 100D to route all traffic from a specific 60E port to IPsec tunnel (remote browsing). I used a route-based VPN. The minor problem was with the default router, but it was possible to resolve it by setting priorities. The central unit is 100D in the A/P cluster. Behind it is Win2008 (AD, DNS, DHCP) and using DHCP relay at 60E

allocates addresses to clients via IPsec tunnel. It all works. However, the customer's requirement is also the use of two additional ports on the 60E which must go through the WAN interface directly (with NAT) to the Internet (outside the IPsec tunnel). I set the interface, IP ranges, DHCP, DNS, Policy ... Unfortunately, the internet from these networks was inaccessible. I was looking for why and the problem is lower priority (2) default routing for IPsec tunnel - 0.0.0.0/0->TUNNEL  than default route 0.0.0.0/0->DEFAULT GW (4). So I tried to use Policy Routing to define that these two networks should route traffic directly to WAN. Unfortunately, this is not the case. Unfortunately, it does not work So I set up a Policy Base VPN between 60E and 100D. Now all networks are working, but traffic generated at 60E (ping, connect to FAZ, etc.) all goes through this IPsec tunnel, which is undesirable.

How to best solve this scenario? Ideally using a route-based VPN?

Thank you.

30826
0 Kudos
22 REPLIES 22
Jirka1
Contributor III
In response to oheigl

Created on ‎09-04-2017 02:36 AM

update: If I set both default route to the same priority (1) it seems everything works well.

edit: after reboot FortiGate, the tunnel stil work, but traffic from FGT not again :(

I will test your design with a static routing on a DHCP server and let you know.

 

Anyway, thank you for your help "neighbor":)

2959
0 Kudos
oheigl
Contributor II
In response to Jirka1

Created on ‎09-04-2017 03:01 AM

Ah yeah that should work too, because you have policy routes for your other interfaces too. Otherwise it would ECMP load balance your connections, just stick with what you feel most comfortable with.

 

No problem neighbor :) 

2959
0 Kudos
Jirka1
Contributor III
In response to Allan_Lago

Created on ‎09-03-2017 11:08 PM

Hi, problem is, that I need all traffic through the tunnel from specific subnet/interfaces. Not only some subnet. And if I create two default routes 0.0.0.0/0 (one with priority 2 to the tunnel and one with priority 4 to the wan gw), traffic from interface, which I won't routed to tunnel is routed to tunnel :\
2959
0 Kudos
Allan_Lago
New Contributor

Created on ‎09-04-2017 05:29 AM

Hi,

 

Correct me if im wrong, You have:

WAN1 interface responsible for the internet traffic.

Internal2 is your LAN

XDC is a VLAN tied to Internal2

UniFi is a VLAN tied to Interna2

 

You want to route only internal2 trought the VPN (IPsec->HQ) right?

 

Same distance means that both WAN1 and IPSec Route will be active at the same time.

Lower priority to WAN1 means that the traffic will routed trought it while the WAN1 link is active

config router static     edit 3         set gateway 62.xxx.xxx.xxx

        set distance 10         set priority 1 #Change it to a lower priority than the IPsec Tunnel.         set device "wan1"     next     edit 2

        set distance 10         set priority 2 #Change it to a higher priority         set device "IPsec->HQ"     next end

 

Now, about your policy routes you just need to create one from internal2 to IPsec->HQ, all the other interfaces will assume the lower priority static route.

config router policy     edit 1         set input-device "internal2"         set srcaddr "all"         set dstaddr "all"         set output-device "IPsec->HQ"     next end

 

Try this and give us a feedback please, if it doesnt work post the results for the following commands:

 

show full-configuration system interface wan1

show full-configuration system interface IPsec->HQ

get router info routing-table database

 

Hope it helps

 

 

 

   Allan Lago

   Security Analist

   allan.lago@itsense.com.br

   +55 21 96436-1884

   +55 54 99100-0949

   https://itsense.com.br

Allan Lago Security Analist allan.lago@itsense.com.br +55 21 96436-1884 +55 54 99100-0949 https://itsense.com.br
2959
0 Kudos
Jirka1
Contributor III
In response to Allan_Lago

Created on ‎09-04-2017 05:53 AM

Hi alago,

 

thanks for you feedback.

I tried your cfg with this result:

1) IPsec tunnel is functional 2) other networks (UniFi, XDC) do not work - they do not pass through FGT

 

cfg:

 

config system interface
    edit "wan1"
        set vdom "root"
        set fortilink disable
        set mode static
        set dhcp-relay-service disable
        set ip 62.xxx.xxx.xxx 255.255.255.192
        set allowaccess ping https ssh snmp
        set fail-detect disable
        set pptp-client disable
        set arpforward enable
        set broadcast-forward disable
        set bfd global
        set l2forward disable
        set icmp-redirect enable
        set vlanforward disable
        set stpforward disable
        set ips-sniffer-mode disable
        set ident-accept disable
        set ipmac disable
        set subst disable
        set substitute-dst-mac 00:00:00:00:00:00
        set status up
        set netbios-forward disable
        set wins-ip 0.0.0.0
        set type physical
        set netflow-sampler disable
        set sflow-sampler disable
        set scan-botnet-connections disable
        set src-check enable
        set sample-rate 2000
        set polling-interval 20
        set sample-direction both
        set explicit-web-proxy disable
        set explicit-ftp-proxy disable
        set proxy-captive-portal disable
        set tcp-mss 0
        set inbandwidth 0
        set outbandwidth 0
        set spillover-threshold 0
        set ingress-spillover-threshold 0
        set weight 0
        set external disable
        set description ''
        set alias "WAN"
        set l2tp-client disable
        set security-mode none
        set device-identification disable
        set lldp-transmission vdom
        set fortiheartbeat disable
        set estimated-upstream-bandwidth 0
        set estimated-downstream-bandwidth 0
        set vrrp-virtual-mac disable
        set role wan
        set snmp-index 1
        set secondary-IP disable
        set preserve-session-route disable
        set auto-auth-extension-device disable
        set ap-discover enable
        config ipv6
            set ip6-mode static
            set nd-mode basic
            unset ip6-allowaccess
            set ip6-reachable-time 0
            set ip6-retrans-time 0
            set ip6-hop-limit 0
            set dhcp6-prefix-delegation disable
            set dhcp6-information-request disable
            set ip6-address ::/0
            set ip6-send-adv disable
            set autoconf disable
            set dhcp6-relay-service disable
        end
        set speed auto
        set mtu-override disable
        set wccp disable
        set drop-overlapped-fragment disable
        set drop-fragment disable
    next
end
config system interface
    edit "IPsec->HQ"
        set vdom "root"
        set distance 5
        set dhcp-relay-service disable
        set ip 0.0.0.0 0.0.0.0
        unset allowaccess
        set arpforward enable
        set broadcast-forward disable
        set bfd global
        set icmp-redirect enable
        set ips-sniffer-mode disable
        set ident-accept disable
        set ipmac disable
        set status up
        set netbios-forward disable
        set wins-ip 0.0.0.0
        set type tunnel
        set netflow-sampler disable
        set sflow-sampler disable
        set scan-botnet-connections disable
        set src-check enable
        set sample-rate 2000
        set polling-interval 20
        set sample-direction both
        set explicit-web-proxy disable
        set explicit-ftp-proxy disable
        set proxy-captive-portal disable
        set tcp-mss 0
        set inbandwidth 0
        set outbandwidth 0
        set spillover-threshold 0
        set ingress-spillover-threshold 0
        set weight 0
        set external disable
        set remote-ip 0.0.0.0
        set description ''
        set alias ''
        set l2tp-client disable
        set security-mode none
        set fortiheartbeat disable
        set estimated-upstream-bandwidth 0
        set estimated-downstream-bandwidth 0
        set role undefined
        set snmp-index 4
        set preserve-session-route disable
        set auto-auth-extension-device disable
        set ap-discover enable
        config ipv6
            set ip6-mode static
            set nd-mode basic
            unset ip6-allowaccess
            set ip6-reachable-time 0
            set ip6-retrans-time 0
            set ip6-hop-limit 0
            set dhcp6-prefix-delegation disable
            set dhcp6-information-request disable
            set ip6-address ::/0
            set ip6-send-adv disable
            set autoconf disable
            set dhcp6-relay-service disable
        end
        set wccp disable
        set interface "wan1"
    next
end
odes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       > - selected route, * - FIB route, p - stale info

S *> 0.0.0.0/0 [10/0] is directly connected, IPsec->HQ, [2/0]
     *> [10/0] via 62.xxx.xxx.xxx, wan1, [4/0]
C *> 10.33.1.0/24 is directly connected, UniFi
C *> 62.xxx.xxx.xxx/26 is directly connected, wan1
C *> 100.10.20.0/24 is directly connected, XDC
C *> 172.17.14.0/24 is directly connected, internal2
C *> 172.20.0.0/16 is directly connected, XDC-VPN
C *> 192.168.1.0/24 is directly connected, internal

2959
0 Kudos
Allan_Lago
New Contributor
In response to Jirka1

Created on ‎09-04-2017 06:13 AM

Hi,

 

Please run show full-configuration router static and post the result.

 

 

 

 

 

   Allan Lago

   Security Analist

   allan.lago@itsense.com.br

   +55 21 96436-1884

   +55 54 99100-0949

   https://itsense.com.br

Allan Lago Security Analist allan.lago@itsense.com.br +55 21 96436-1884 +55 54 99100-0949 https://itsense.com.br
2959
0 Kudos
Jirka1
Contributor III
In response to Allan_Lago

Created on ‎09-04-2017 06:17 AM 

config router static
    edit 3
        set status enable
        set dst 0.0.0.0 0.0.0.0
        set gateway 62.xxx.xxx.xxx
        set distance 10
        set weight 0
        set priority 4
        set device "wan1"
        set comment ''
        set blackhole disable
        set dynamic-gateway disable
        set virtual-wan-link disable
        set dstaddr ''
        unset internet-service
        set internet-service-custom ''
        set link-monitor-exempt disable
    next
    edit 2
        set status enable
        set dst 0.0.0.0 0.0.0.0
        set distance 10
        set weight 0
        set priority 2
        set device "IPsec->HQ"
        set comment ''
        set blackhole disable
        set dynamic-gateway disable
        set virtual-wan-link disable
        set dstaddr ''
        unset internet-service
        set internet-service-custom ''
        set link-monitor-exempt disable
    next
end

2959
0 Kudos
Allan_Lago
New Contributor
In response to Jirka1

Created on ‎09-04-2017 06:40 AM

Hi,

 

As i supected you forgot to change your priority values. Please change the priority value from WAN1 route to 10 and from IPsec route to 20.

 

config router static

edit 3

set status enable

set dst 0.0.0.0 0.0.0.0

set gateway 62.xxx.xxx.xxx

set distance 10

set weight 0

set priority 2

set device "wan1"

set comment ''

set blackhole disable

set dynamic-gateway disable

set virtual-wan-link disable

set dstaddr ''

unset internet-service

set internet-service-custom ''

set link-monitor-exempt disable

next

edit 2

set status enable

set dst 0.0.0.0 0.0.0.0

set distance 10

set weight 0

set priority 4

set device "IPsec->HQ"

set comment ''

set blackhole disable

set dynamic-gateway disable

set virtual-wan-link disable

set dstaddr ''

unset internet-service

set internet-service-custom ''

set link-monitor-exempt disable

next

 

 

 

 

   Allan Lago

   Security Analist

   allan.lago@itsense.com.br

   +55 21 96436-1884

   +55 54 99100-0949

   https://itsense.com.br

Allan Lago Security Analist allan.lago@itsense.com.br +55 21 96436-1884 +55 54 99100-0949 https://itsense.com.br
2959
0 Kudos
oheigl
Contributor II
In response to Allan_Lago

Created on ‎09-04-2017 06:47 AM

That's the exact same thing I told him in my initial post 

2959
0 Kudos
Jirka1
Contributor III
In response to oheigl

Created on ‎09-04-2017 07:11 AM

Guys, but I tried this!  

 

Now I changed the prio:

config router static

edit 3
set status enable
set dst 0.0.0.0 0.0.0.0
set gateway 62.xxx.xxx.xxx
set distance 10
set weight 0
set priority 10
set device "wan1"
set comment ''
set blackhole disable
set dynamic-gateway disable
set virtual-wan-link disable
set dstaddr ''
unset internet-service
set internet-service-custom ''
set link-monitor-exempt disable
next
edit 2
set status enable
set dst 0.0.0.0 0.0.0.0
set distance 10
set weight 0
set priority 20
set device "IPsec->HQ"
set comment ''
set blackhole disable
set dynamic-gateway disable
set virtual-wan-link disable
set dstaddr ''
unset internet-service
set internet-service-custom ''
set link-monitor-exempt disable
next
end

 

config router policy
edit 1
set input-device "internal2"
set srcaddr "all"
set src-negate disable
set dstaddr "all"
set dst-negate disable
set action permit
set protocol 0
set gateway 0.0.0.0
set output-device "IPsec->HQ"
set tos 0x00
set tos-mask 0x00
set status enable
set comments ''
next
end


S *> 0.0.0.0/0 [10/0] via 62.xxx.xxx.xxx, wan1, [10/0]
*> [10/0] is directly connected, IPsec->HQ, [20/0]
C *> 10.33.1.0/24 is directly connected, UniFi
C *> 62.xxx.xxx.xxx/26 is directly connected, wan1
C *> 100.10.20.0/24 is directly connected, XDC
C *> 172.17.14.0/24 is directly connected, internal2
C *> 172.20.0.0/16 is directly connected, XDC-VPN
C *> 192.168.1.0/24 is directly connected, internal

 

config firewall policy
edit 4
set uuid 16b6d6f2-90a9-51e7-50d6-28c75b7038db
set srcintf "UniFi"
set dstintf "wan1"
set srcaddr "UniFiGuest"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 5
set uuid 328c1e1e-90a9-51e7-a976-255cf2cc7aae
set srcintf "XDC"
set dstintf "wan1"
set srcaddr "XDC"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 3
set uuid 4bf13740-9144-51e7-86ff-1d4e03ca6ca3
set srcintf "internal2"
set dstintf "IPsec->HQ"
set srcaddr "CUST LAN"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 6
set uuid 56347e10-9144-51e7-ffac-a6f54c96de19
set srcintf "IPsec->HQ"
set dstintf "internal2"
set srcaddr "all"
set dstaddr "CUST LAN"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end

 

IPsec tunnel is UP, but other network (XDC, UniFi) are down...

2959
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.