Routing and vpn tunnels

Alimov · ‎08-27-2014

Hello colleagues. There are two FGT. 1-100d; 2-80c (OS - 5.2) Implemented such a scheme- http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/redundant-tunnel.121.08.html Everything works. The actual schema looks like this:

Routs on FGT1:

Routs on FGT2:

Now I have the task of: If the user of the site 1 has connected on the rdp for Terminal Server in site 2 and Terminal session launched ie-all Internet traffic goes directly to the wan1 FGT2. What do I need to do to traffic sent back in site 1 and already there was outward through the wan1 FGT1

Please tell me what I need to do.

Alimov · ‎08-27-2014

FGT80C3912606373 # dia deb reset FGT80C3912606373 # dia deb en FGT80C3912606373 # dia deb flow filter addr 208.91.112.199 FGT80C3912606373 # dia deb flow show cons en show trace messages on console FGT80C3912606373 # dia deb flow trace start 20 FGT80C3912606373 # id=20085 trace_id=21 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->208.91.112.199:8) from internal." id=20085 trace_id=21 msg=" allocate a new session-00000974" id=20085 trace_id=21 msg=" find a route: gw-84.52.127.65 via wan1" id=20085 trace_id=21 msg=" use addr/intf hash, len=2" id=20085 trace_id=21 msg=" find SNAT: IP-84.52.127.77, port-62464" id=20085 trace_id=21 msg=" Allowed by Policy-1: SNAT" id=20085 trace_id=21 msg=" SNAT 192.168.50.110->84.52.127.77:62464" id=20085 trace_id=22 msg=" vd-root received a packet(proto=1, 208.91.112.199:62464->84.52.127.77:0) from wan1." id=20085 trace_id=22 msg=" Find an existing session, id-00000974, reply direction" id=20085 trace_id=22 msg=" DNAT 84.52.127.77:0->192.168.50.110:512" id=20085 trace_id=22 msg=" find a route: gw-192.168.50.110 via internal" id=20085 trace_id=23 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->208.91.112.199:8) from internal." id=20085 trace_id=23 msg=" Find an existing session, id-00000974, original direction" id=20085 trace_id=23 msg=" SNAT 192.168.50.110->84.52.127.77:62464" id=20085 trace_id=24 msg=" vd-root received a packet(proto=1, 208.91.112.199:62464->84.52.127.77:0) from wan1." id=20085 trace_id=24 msg=" Find an existing session, id-00000974, reply direction" id=20085 trace_id=24 msg=" DNAT 84.52.127.77:0->192.168.50.110:512" id=20085 trace_id=25 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->208.91.112.199:8) from internal." id=20085 trace_id=25 msg=" Find an existing session, id-00000974, original direction" id=20085 trace_id=25 msg=" SNAT 192.168.50.110->84.52.127.77:62464" id=20085 trace_id=26 msg=" vd-root received a packet(proto=1, 208.91.112.199:62464->84.52.127.77:0) from wan1." id=20085 trace_id=26 msg=" Find an existing session, id-00000974, reply direction" id=20085 trace_id=26 msg=" DNAT 84.52.127.77:0->192.168.50.110:512" id=20085 trace_id=27 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->208.91.112.199:8) from internal." id=20085 trace_id=27 msg=" Find an existing session, id-00000974, original direction" id=20085 trace_id=27 msg=" SNAT 192.168.50.110->84.52.127.77:62464" id=20085 trace_id=28 msg=" vd-root received a packet(proto=1, 208.91.112.199:62464->84.52.127.77:0) from wan1." id=20085 trace_id=28 msg=" Find an existing session, id-00000974, reply direction" id=20085 trace_id=28 msg=" DNAT 84.52.127.77:0->192.168.50.110:512" --------------------------------------------------------------------------------------------------------------------- FGT80C3912606373 # dia deb reset FGT80C3912606373 # dia deb en FGT80C3912606373 # dia deb flow filter addr 178.217.168.213 FGT80C3912606373 # dia deb flow show cons en show trace messages on console FGT80C3912606373 # dia deb flow trace start 20 FGT80C3912606373 # id=20085 trace_id=49 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->178.217.168.213:8) from internal." id=20085 trace_id=49 msg=" allocate a new session-00000a81" id=20085 trace_id=49 msg=" find a route: gw-84.52.127.65 via wan1" id=20085 trace_id=49 msg=" use addr/intf hash, len=2" id=20085 trace_id=49 msg=" find SNAT: IP-84.52.127.77, port-62464" id=20085 trace_id=49 msg=" Allowed by Policy-1: SNAT" id=20085 trace_id=49 msg=" SNAT 192.168.50.110->84.52.127.77:62464" id=20085 trace_id=50 msg=" vd-root received a packet(proto=1, 178.217.168.213:62464->84.52.127.77:0) from wan1." id=20085 trace_id=50 msg=" Find an existing session, id-00000a81, reply direction" id=20085 trace_id=50 msg=" DNAT 84.52.127.77:0->192.168.50.110:512" id=20085 trace_id=50 msg=" find a route: gw-192.168.50.110 via internal" id=20085 trace_id=51 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->178.217.168.213:8) from internal." id=20085 trace_id=51 msg=" Find an existing session, id-00000a81, original direction" id=20085 trace_id=51 msg=" SNAT 192.168.50.110->84.52.127.77:62464" id=20085 trace_id=52 msg=" vd-root received a packet(proto=1, 178.217.168.213:62464->84.52.127.77:0) from wan1." id=20085 trace_id=52 msg=" Find an existing session, id-00000a81, reply direction" id=20085 trace_id=52 msg=" DNAT 84.52.127.77:0->192.168.50.110:512" id=20085 trace_id=53 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->178.217.168.213:8) from internal." id=20085 trace_id=53 msg=" Find an existing session, id-00000a81, original direction" id=20085 trace_id=53 msg=" SNAT 192.168.50.110->84.52.127.77:62464" id=20085 trace_id=54 msg=" vd-root received a packet(proto=1, 178.217.168.213:62464->84.52.127.77:0) from wan1." id=20085 trace_id=54 msg=" Find an existing session, id-00000a81, reply direction" id=20085 trace_id=54 msg=" DNAT 84.52.127.77:0->192.168.50.110:512" id=20085 trace_id=55 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->178.217.168.213:8) from internal." id=20085 trace_id=55 msg=" Find an existing session, id-00000a81, original direction" id=20085 trace_id=55 msg=" SNAT 192.168.50.110->84.52.127.77:62464" id=20085 trace_id=56 msg=" vd-root received a packet(proto=1, 178.217.168.213:62464->84.52.127.77:0) from wan1." id=20085 trace_id=56 msg=" Find an existing session, id-00000a81, reply direction" id=20085 trace_id=56 msg=" DNAT 84.52.127.77:0->192.168.50.110:512"

hklb · ‎08-27-2014

It' s strange.. Normally with your PBR you should be routed through Site_2_A.. Could you please show the ouput of : show ful router policy get vpn ipsec tunnel summary

Alimov · ‎08-27-2014

Connected FGT80C3912606373 # show ful router policy config router policy edit 1 set input-device " internal" set src " 192.168.50.0/24" set src-negate disable set dst " 0.0.0.0/0" set dst-negate disable set action permit set protocol 0 set gateway 0.0.0.0 set output-device " Site_2_A" set tos 0x00 set tos-mask 0x00 set comments ' ' next end FGT80C3912606373 # get vpn ipsec tunnel summary ' Site_2_A' 80.246.254.150:0 selectors(total,up): 1/1 rx(pkt,err): 13984/0 tx(pkt,err): 16159/47 ' Site_2_B' 88.52.227.76:0 selectors(total,up): 1/0 rx(pkt,err): 0/0 tx(pkt,err): 0/0

hklb · ‎08-27-2014

Hello, I finally find the solution ! You need to configure IP address on your tunnel interface. On FGT1 : conf sys inter edit Site_1_A set ip 192.0.2.1 255.255.255.255 set remote-ip 192.0.2.2 next edit Site_1_C set ip 192.0.2.5 255.255.255.255 set remote-ip 192.0.2.6 end After that, you will need to set a gateway to your static route : conf router static edit yourPrimaryRouteToVPNDestination set gateway 192.0.2.2 edit yourSecondaryRouteToVPNDestination set gateway 192.0.2.6 On the FGT2, you need to do the same (but inverse the IP..) And finally, you will need to set the gateway to 192.0.2.2 in your PBR config router policy edit 1 set input-device " internal" set src " 192.168.50.0/24" set src-negate disable set dst " 0.0.0.0/0" set dst-negate disable set action permit set protocol 0 set gateway 192.0.2.2 set output-device " Site_2_A" set tos 0x00 set tos-mask 0x00 set comments ' ' next end Normaly, this time it should be work!

hklb · ‎08-27-2014

An another thing. I did a dia sys session clear -> it clears all current sessions (be carefull, sometimes databases server or other servers don' t like that). Like this, the fortigate clears the route cache. But it' s not the better way (I think).. But didn' t found a better solution. So if anyone has a better solution to clear route... ! don' t hesitate to share your information

Alimov · ‎08-27-2014

Dear hklb, I feel that the victory is very close))) There is still a small problem-how do I allow gateway to vpn tunnel: FG100D3G13824836 # conf rout static FG100D3G13824836 (static) # show config router static edit 1 set gateway 80.246.254.145 set device " wan1" next edit 2 set dst 192.168.50.0 255.255.255.0 set distance 1 set device " Site_1_A" next edit 4 set dst 192.168.50.0 255.255.255.0 set distance 2 set device " Site_1_C" next edit 5 set dst 192.168.100.0 255.255.255.0 set gateway 192.168.254.250 set device " lan" next edit 6 set dst 192.168.110.0 255.255.255.0 set gateway 192.168.254.250 set device " lan" next edit 7 set dst 192.168.120.0 255.255.255.0 set gateway 192.168.254.250 set device " lan" next end FG100D3G13824836 (static) # edit 4 FG100D3G13824836 (4) # set gateway 192.0.2.2 command parse error before ' gateway' Command fail. Return code -61

ede_pfau · ‎08-27-2014

You can set a filter to only delete certain sessions, not all: diag sys session filter ...

Ede Kernel panic: Aiee, killing interrupt handler!

hklb · ‎08-27-2014

I tried with filter (with src and/or dst), but the route was always here. Did you have a command to see the route cache ? I didn' t find it anymore..

ede_pfau · ‎08-27-2014

 diag ip rtcache list

Ede Kernel panic: Aiee, killing interrupt handler!

ede_pfau · ‎08-27-2014

@Alimov:

 set dynamic-gateway enable

...but this is a quick one, I haven' t looked up what this will do. I am assuming it will dynamically insert a route to the remote end.

Ede Kernel panic: Aiee, killing interrupt handler!

Routing and vpn tunnels

Nominate a Forum Post for Knowledge Article Creation