Hello
Kindly i have a question which is
I configured a VPN ipsec Custom between 2 site ,Dial UP
but i discoved that i have to create Static Route on both FortiGate devices to reach them from each site
so i have a concern why i need to create Static Route
Why there is no reachability without static route although on the VPN setting there is a creation for Local Subnet and Remote subnet
So kindly advice
Hi mhanna,
A static route is necessary to ensure that traffic is going via the correct interface.
In the VPN setting, for phase2 when you add a local subnet and a remote subnet, this ensures that traffic between these two subnets can flow over the VPN tunnel. For routing, you need to have a static route configured.
It is also advised to configure a black hole route to ensure that VPN traffic does not get routed towards the internet incase your VPN tunnel is down.
Thank you.
Shahan
By default, FortiOS automatically adds "static" routes to the destination of phase-2 selectors when the phase-1 is of type "dynamic".
Look for the "set add-route enable" command in phase-1.
FGT-01 (root) # config vpn ipsec phase1-interface
FGT-01 (phase1-interface) # edit TEST-VPN-P1
new entry 'TEST-VPN-P1' added
FGT-01 (TEST-VPN-P1) # set type dynamic
FGT-01 (TEST-VPN-P1) # show full | grep add
set add-route enable
FGT-01 (TEST-VPN-P1) #
Without this, or when using 0/0 in phase 2, you will need to use static routes.
If you want to see what routes are being injected into the static RIB by the IPsec engine, then use:
diag vpn ike routes
Regards,
Pete
Hello
Thanks for your reply ,
Okay but why both firwall cant ping its interfaces
i mean when i tried to ping the remote firewall interface from the local firewall console
there is no ping happen and vice versa
but in same time i can ping all subnet in two way by my labtop
The only way that allowed me to ping both firewall from their console when i use the command
execute ping-option source interface port1 x.x.x.x
but i use command
execute ping x.x.x.x
its not pingable
So where do you think the issue
Created on 01-03-2023 02:58 AM Edited on 01-03-2023 02:59 AM
Most likely, your IPsec tunnel interfaces do not have IP addresses on them.
When you execute a ping on a FortiGate, FortiOS does a route lookup for the destination IP to calculate the egress (outgoing) interface.
If you have not specified your source IP ("execute ping-option source ..."), then FortiOS uses the egress interface IP address as the source address of the ICMP packet.
In your case, this is therefore the tunnel IP address - which is likely to be "0.0.0.0".
Pete.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.