Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nenonano
New Contributor

Created on ‎09-19-2023 08:20 AM

S2S ipsec, route specific traffic through specific tunnel

Hi all
I have the following configuration:
site A and site B, both with 2 wan connections, connected to each other via 4 ipsec tunnels (A1<->B1, A2<->B1, A1<->B2, A2<->B2)
on each tunnel I have the same phases2 and the same routes, the latter with different distances.
the 4 VPN interfaces are grouped in one zone on both sides.
Now I need to rotate all the traffic coming from a specific IP from office B and directed towards a specific IP in office A through a specific IPsec tunnel (for example A1<->B2)
in addition to the fw rules to allow traffic, I also created a route policy, but the traffic continues to pass through the tunnel with the minimum distance route
any hint to improve and/or debug the issue? is there I'd be aware of and that I'm clearly ignoring?
Thank you in advance

Labels:
1104
0 Kudos
1 Solution
pminarik
Staff
Staff

Created on ‎09-19-2023 08:41 AM

Couple basic rules to remember:

1, Between a /16 /24 route, the longest prefix will always win (/24; using these just as examples)

2, Between routes with identical prefix length, the better (lower) admin distance will always win, the worse admin distance route will not appear in the routing table at all (!!!)

3, Policy routes operate on top of the regular routing table (a valid route over the desired egress interface must exist in the routing table)

 

Pay attention especially to combinations of #2 and #3. I imagine that this could potentially be your issue:

- /24 route via A2-B1, admin distance 10

- /24 route via A1-B2, admin distance 20

- policy route saying "route from <srcip> to <dst within the /24> via A1-B2

This setup will "fail" because the second route (admin distance 20) will not be present in the routing table, therefore the policy route will not be active at all.

 

This is a common misconfiguration. If it is your case as well, the solution is to use equal distances for the "duplicate" routes (to keep both in the routing table), but set the generally prefered route to a better (lower) priority value (= this route will always be used for egress, unless down or overridden by a policy route).

[ corrections always welcome ]

View solution in original post

1096
0 Kudos
3 REPLIES 3
pminarik
Staff
Staff

Created on ‎09-19-2023 08:41 AM

Couple basic rules to remember:

1, Between a /16 /24 route, the longest prefix will always win (/24; using these just as examples)

2, Between routes with identical prefix length, the better (lower) admin distance will always win, the worse admin distance route will not appear in the routing table at all (!!!)

3, Policy routes operate on top of the regular routing table (a valid route over the desired egress interface must exist in the routing table)

 

Pay attention especially to combinations of #2 and #3. I imagine that this could potentially be your issue:

- /24 route via A2-B1, admin distance 10

- /24 route via A1-B2, admin distance 20

- policy route saying "route from <srcip> to <dst within the /24> via A1-B2

This setup will "fail" because the second route (admin distance 20) will not be present in the routing table, therefore the policy route will not be active at all.

 

This is a common misconfiguration. If it is your case as well, the solution is to use equal distances for the "duplicate" routes (to keep both in the routing table), but set the generally prefered route to a better (lower) priority value (= this route will always be used for egress, unless down or overridden by a policy route).

[ corrections always welcome ]
1097
0 Kudos
hbac
Staff
Staff

Created on ‎09-19-2023 11:52 AM

Hi @nenonano

 

Policy route is the right path. However, please make sure both tunnels have the same administrative distance. You can give them different priority instead. Both routes need to be in the routing table in order for policy route to work. You can check the routing table by running "get router info routing-table all" 

 

Regards, 

1070
0 Kudos
nenonano
New Contributor

Created on ‎09-20-2023 03:23 AM

Hi there

 

setting the correct distance and priority solved my issue, now I see the traffic flowing through the right tunnel.
Thank you

1043
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.