Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhanna
New Contributor II

Created on ‎01-02-2023 02:44 AM

Static Route for IPSecVPN

Hello 

Kindly i have a question which is 

I configured a VPN ipsec Custom between 2 site ,Dial UP 

but i discoved that i have to create Static Route on both FortiGate devices to reach them from each site 

so i have a concern why i need to create Static Route 

Why there is no reachability without static route although on the VPN setting there is a creation for Local Subnet and Remote subnet

So kindly advice

Labels:
2962
0 Kudos
4 REPLIES 4
sagha
Staff
Staff

Created on ‎01-02-2023 04:06 AM

Hi mhanna, 

 

A static route is necessary to ensure that traffic is going via the correct interface. 

In the VPN setting, for phase2 when you add a local subnet and a remote subnet, this ensures that traffic between these two subnets can flow over the VPN tunnel. For routing, you need to have a static route configured.

It is also advised to configure a black hole route to ensure that VPN traffic does not get routed towards the internet incase your VPN tunnel is down. 

 

Details here: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/913287/basic-s...

 

Thank you. 

Shahan

 

2949
0 Kudos
Peter-Wainwright
New Contributor II

Created on ‎01-02-2023 06:04 AM

By default, FortiOS automatically adds "static" routes to the destination of phase-2 selectors when the phase-1 is of type "dynamic".

Look for the "set add-route enable" command in phase-1.

 

FGT-01 (root) # config vpn ipsec phase1-interface

FGT-01 (phase1-interface) # edit TEST-VPN-P1
new entry 'TEST-VPN-P1' added

FGT-01 (TEST-VPN-P1) # set type dynamic

FGT-01 (TEST-VPN-P1) # show full | grep add
set add-route enable

FGT-01 (TEST-VPN-P1) #

Without this, or when using 0/0 in phase 2, you will need to use static routes.

 

If you want to see what routes are being injected into the static RIB by the IPsec engine, then use:

diag vpn ike routes

 

Regards,

 

Pete

NSE 7
2939
0 Kudos
mhanna
New Contributor II
In response to Peter-Wainwright

Created on ‎01-02-2023 11:28 PM

Hello 

Thanks for your reply , 

Okay but why both firwall cant ping its interfaces 

i mean when i tried to ping the remote firewall interface from the local firewall console

there is no ping happen and vice versa 

but in same time i can ping all subnet in two way by my labtop

The only way that allowed me to ping both firewall from their console when i use the command

execute ping-option source interface port1 x.x.x.x

but i use command 

execute ping x.x.x.x

its not pingable

So where do you think the issue

2913
0 Kudos
Peter-Wainwright
New Contributor II
In response to mhanna

Created on ‎01-03-2023 02:58 AM Edited on ‎01-03-2023 02:59 AM

Most likely, your IPsec tunnel interfaces do not have IP addresses on them.

When you execute a ping on a FortiGate, FortiOS does a route lookup for the destination IP to calculate the egress (outgoing) interface.

If you have not specified your source IP ("execute ping-option source ..."), then FortiOS uses the egress interface IP address as the source address of the ICMP packet.

In your case, this is therefore the tunnel IP address - which is likely to be "0.0.0.0". 

 

Pete.

NSE 7
2900
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.