Hi
I'm struggling with routing issue. We have IPSEC tunnel over gre to parter Cisco routers. For that we needed to crate overlapping ip address interface for IPSEC. Now i have /29 for main WAN connection and /32 for IPSEC interface. In general everything works fine but if we need to access WAN interface IP from internal network (over routing) then /32 connected interface is the best match. In our case it is IPSEC vpn. But that will not work for SSL clients.
So from internal network we can not use same profile as we would use over internet for SSLVPN. It is bit confusing for end user as some of the resources are accessible only over SSL VPN.
Is there a trick to allow traffic from internal networks to wan interface if there is a better route available (/32 rules over /29 connected interface)?
#SSL #IPSEC #GRE
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Routing behaviour can be changed by modifying priority and distance. You can follow the KB below to understand the behaviour
Unfortunately that will affect static routes. In my case both are connected routes so in routing table both appear generated automatically with priority and distance as "0"
Dear MaitM,
You can try with policy routing . As a source you can configure the source IP addresses from your internal network, as a destination interface the WAN interface.
Useful KB-> https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...
Tried out that one but did not help. Not sure but I believe the policy route will not be used as the traffic has local devices as destination.
Dear MaitM ,
Can you share something about the routing, did you check with debug flow how traffic is flowing from ssl to your WAN interface?
diagnose debug reset
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug flow filter saddr x.x.x.x <---- SSL source IP
diagnose debug console timestamp enable
diagnose debug flow trace start 9999
diagnose debug enable
diag sys session filter src x.x.x.x <---- SSL source IP
diag sys session list
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.