Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPresence
- FortiPortal
- FortiProxy
- FortiRecon
- FortiSRA
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Static Route for IPSecVPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Static Route for IPSecVPN
Hello
Kindly i have a question which is
I configured a VPN ipsec Custom between 2 site ,Dial UP
but i discoved that i have to create Static Route on both FortiGate devices to reach them from each site
so i have a concern why i need to create Static Route
Why there is no reachability without static route although on the VPN setting there is a creation for Local Subnet and Remote subnet
So kindly advice
Labels:
- Labels:
-
FortiGate
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi mhanna,
A static route is necessary to ensure that traffic is going via the correct interface.
In the VPN setting, for phase2 when you add a local subnet and a remote subnet, this ensures that traffic between these two subnets can flow over the VPN tunnel. For routing, you need to have a static route configured.
It is also advised to configure a black hole route to ensure that VPN traffic does not get routed towards the internet incase your VPN tunnel is down.
Thank you.
Shahan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default, FortiOS automatically adds "static" routes to the destination of phase-2 selectors when the phase-1 is of type "dynamic".
Look for the "set add-route enable" command in phase-1.
FGT-01 (root) # config vpn ipsec phase1-interface
FGT-01 (phase1-interface) # edit TEST-VPN-P1
new entry 'TEST-VPN-P1' added
FGT-01 (TEST-VPN-P1) # set type dynamic
FGT-01 (TEST-VPN-P1) # show full | grep add
set add-route enable
FGT-01 (TEST-VPN-P1) #Without this, or when using 0/0 in phase 2, you will need to use static routes.
If you want to see what routes are being injected into the static RIB by the IPsec engine, then use:
diag vpn ike routes
Regards,
Pete
NSE 7
NSE 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Thanks for your reply ,
Okay but why both firwall cant ping its interfaces
i mean when i tried to ping the remote firewall interface from the local firewall console
there is no ping happen and vice versa
but in same time i can ping all subnet in two way by my labtop
The only way that allowed me to ping both firewall from their console when i use the command
execute ping-option source interface port1 x.x.x.x
but i use command
execute ping x.x.x.x
its not pingable
So where do you think the issue
Created on 01-03-2023 02:58 AM Edited on 01-03-2023 02:59 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Most likely, your IPsec tunnel interfaces do not have IP addresses on them.
When you execute a ping on a FortiGate, FortiOS does a route lookup for the destination IP to calculate the egress (outgoing) interface.
If you have not specified your source IP ("execute ping-option source ..."), then FortiOS uses the egress interface IP address as the source address of the ICMP packet.
In your case, this is therefore the tunnel IP address - which is likely to be "0.0.0.0".
Pete.
NSE 7
NSE 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is actually an interesting question.
On the one hand, why should we add a "static route" why the local/remote subnets mentioned in the selectors. On the other hand, it is what it is :)
Anyway, In thinking this through, and by looking at the comments:
1. a suggestion for 'add-route" is equal to a static route. The difference is that one is automatic static route "add-route", and one is manual, by adding manually a static route.
2. Two solutions I can think about:
2.1 ADVPN with iBGP
2.2 policy based IPSEC VPN
Even the "mode-cfg-allow-client-selector" would need the "add-route" for the selectors for work in a dialup VPN with mode-cfg enabled.
Am I wrong ?
Thanks
Thanks
Labels
-
FortiGate
9,832 -
FortiClient
2,004 -
FortiManager
834 -
5.2
801 -
FortiAnalyzer
646 -
5.4
639 -
FortiSwitch
541 -
FortiAP
527 -
FortiClient EMS
503 -
6.0
416 -
5.6
362 -
FortiMail
357 -
SSL-VPN
330 -
IPsec
321 -
6.2
251 -
FortiNAC
243 -
FortiAuthenticator v5.5
234 -
FortiWeb
234 -
5.0
196 -
SD-WAN
164 -
FortiGuard
155 -
FortiAuthenticator
146 -
6.4
128 -
Firewall policy
119 -
FortiGateCloud
111 -
FortiSIEM
110 -
FortiCloud Products
107 -
FortiToken
102 -
Wireless Controller
91 -
Customer Service
84 -
FortiGate-VM
76 -
High Availability
76 -
FortiProxy
72 -
ZTNA
68 -
FortiEDR
65 -
4.0MR3
64 -
Fortivoice
64 -
VLAN
64 -
Routing
61 -
DNS
61 -
FortiADC
60 -
SAML
59 -
Authentication
55 -
BGP
55 -
RADIUS
53 -
Certificate
53 -
FortiSandbox
51 -
LDAP
50 -
NAT
49 -
FortiExtender
47 -
SSO
46 -
FortiDNS
43 -
FortiLink
42 -
FortiGate v5.4
37 -
VDOM
37 -
Application control
37 -
Logging
36 -
FortiSwitch v6.4
35 -
Interface
35 -
FortiConnect
34 -
FortiWAN
31 -
Virtual IP
31 -
Web profile
30 -
FortiPAM
29 -
FortiGate v5.2
27 -
FortiConverter
27 -
SSL SSH inspection
25 -
Traffic shaping
24 -
FortiPortal
23 -
Automation
23 -
Static route
23 -
FortiGate Cloud
22 -
SSID
22 -
FortiSwitch v6.2
20 -
SNMP
20 -
FortiMonitor
19 -
WAN optimization
19 -
OSPF
17 -
API
17 -
System settings
17 -
FortiDDoS
15 -
Admin
15 -
Security profile
15 -
FortiAP profile
15 -
Web application firewall profile
15 -
IP address management - IPAM
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
FortiCASB
14 -
IPS signature
14 -
Proxy policy
13 -
Intrusion prevention
13 -
FortiManager v4.0
12 -
Traffic shaping policy
12 -
Web rating
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Explicit proxy
11 -
Port policy
11 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Users
10 -
Traffic shaping profile
10 -
Fabric connector
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiDeceptor
9 -
FortiAnalyzer v5.0
9 -
RMA Information and Announcements
9 -
DNS filter
9 -
trunk
9 -
Fortinet Engage Partner Program
9 -
FortiCache
8 -
Antivirus profile
8 -
4.0
7 -
Application signature
7 -
Authentication rule and scheme
7 -
FortiToken Cloud
6 -
Packet capture
6 -
NAC policy
6 -
VoIP profile
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
Vulnerability Management
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
FortiNDR
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
File filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2330 | |
| 1262 | |
| 772 | |
| 453 | |
| 436 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.