Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MaitM
New Contributor

SSL, IPSEC,GRE routing

Hi

 

I'm struggling with routing issue. We have IPSEC tunnel over gre to parter Cisco routers. For that we needed to crate overlapping ip address interface for IPSEC. Now i have /29 for main WAN connection and /32 for IPSEC interface. In general everything works fine but if we need to access WAN interface IP from internal network (over routing) then /32 connected interface is the best match. In our case it is IPSEC vpn. But that will not work for SSL clients. 

So from internal network we can not use same profile as we would use over internet for SSLVPN. It is bit confusing for end user as some of the resources are accessible only over SSL VPN. 

Is there a trick to allow traffic from internal networks to wan interface if there is a better route available (/32 rules over /29 connected interface)?

 

#SSL #IPSEC #GRE

5 REPLIES 5
Hasnatriad
Staff
Staff

Routing behaviour can be changed by modifying priority and distance. You can follow the KB below to understand the behaviour 

https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-an...

One step at a time
MaitM

Unfortunately that will affect static routes. In my case both are connected routes so in routing table both appear generated automatically with priority and distance as "0"

syordanov
Staff
Staff

Dear MaitM,

 

You can try with policy routing . As a source you can configure the source IP addresses from your internal network, as a destination interface  the WAN interface.

 

Useful KB-> https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

 

.
MaitM

Tried out that one but did not help. Not sure but I believe the policy route will not be used as the traffic has local devices as destination. 

syordanov

Dear MaitM ,

 

Can you share something about the routing, did you check with debug flow how traffic is flowing from ssl to your WAN interface?

 

diagnose debug reset

diagnose debug disable

diagnose debug flow trace stop

diagnose debug flow filter clear

diagnose debug flow show iprope enable

diagnose  debug  flow show function-name enable

diagnose debug flow filter saddr x.x.x.x <---- SSL source IP

diagnose  debug  console timestamp enable

diagnose debug flow trace start 9999

diagnose debug enable

diag sys session filter src x.x.x.x <---- SSL source IP

diag sys session list

 

 

 

 

.
Labels
Top Kudoed Authors