Hi all
I have the following configuration:
site A and site B, both with 2 wan connections, connected to each other via 4 ipsec tunnels (A1<->B1, A2<->B1, A1<->B2, A2<->B2)
on each tunnel I have the same phases2 and the same routes, the latter with different distances.
the 4 VPN interfaces are grouped in one zone on both sides.
Now I need to rotate all the traffic coming from a specific IP from office B and directed towards a specific IP in office A through a specific IPsec tunnel (for example A1<->B2)
in addition to the fw rules to allow traffic, I also created a route policy, but the traffic continues to pass through the tunnel with the minimum distance route
any hint to improve and/or debug the issue? is there I'd be aware of and that I'm clearly ignoring?
Thank you in advance
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Couple basic rules to remember:
1, Between a /16 /24 route, the longest prefix will always win (/24; using these just as examples)
2, Between routes with identical prefix length, the better (lower) admin distance will always win, the worse admin distance route will not appear in the routing table at all (!!!)
3, Policy routes operate on top of the regular routing table (a valid route over the desired egress interface must exist in the routing table)
Pay attention especially to combinations of #2 and #3. I imagine that this could potentially be your issue:
- /24 route via A2-B1, admin distance 10
- /24 route via A1-B2, admin distance 20
- policy route saying "route from <srcip> to <dst within the /24> via A1-B2
This setup will "fail" because the second route (admin distance 20) will not be present in the routing table, therefore the policy route will not be active at all.
This is a common misconfiguration. If it is your case as well, the solution is to use equal distances for the "duplicate" routes (to keep both in the routing table), but set the generally prefered route to a better (lower) priority value (= this route will always be used for egress, unless down or overridden by a policy route).
Couple basic rules to remember:
1, Between a /16 /24 route, the longest prefix will always win (/24; using these just as examples)
2, Between routes with identical prefix length, the better (lower) admin distance will always win, the worse admin distance route will not appear in the routing table at all (!!!)
3, Policy routes operate on top of the regular routing table (a valid route over the desired egress interface must exist in the routing table)
Pay attention especially to combinations of #2 and #3. I imagine that this could potentially be your issue:
- /24 route via A2-B1, admin distance 10
- /24 route via A1-B2, admin distance 20
- policy route saying "route from <srcip> to <dst within the /24> via A1-B2
This setup will "fail" because the second route (admin distance 20) will not be present in the routing table, therefore the policy route will not be active at all.
This is a common misconfiguration. If it is your case as well, the solution is to use equal distances for the "duplicate" routes (to keep both in the routing table), but set the generally prefered route to a better (lower) priority value (= this route will always be used for egress, unless down or overridden by a policy route).
Hi @nenonano,
Policy route is the right path. However, please make sure both tunnels have the same administrative distance. You can give them different priority instead. Both routes need to be in the routing table in order for policy route to work. You can check the routing table by running "get router info routing-table all"
Regards,
Hi there
setting the correct distance and priority solved my issue, now I see the traffic flowing through the right tunnel.
Thank you
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.