Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhanna
New Contributor II

Static Route for IPSecVPN

Hello 

Kindly i have a question which is 

I configured a VPN ipsec Custom between 2 site ,Dial UP 

but i discoved that i have to create Static Route on both FortiGate devices to reach them from each site 

so i have a concern why i need to create Static Route 

Why there is no reachability without static route although on the VPN setting there is a creation for Local Subnet and Remote subnet

So kindly advice

4 REPLIES 4
sagha
Staff
Staff

Hi mhanna, 

 

A static route is necessary to ensure that traffic is going via the correct interface. 

In the VPN setting, for phase2 when you add a local subnet and a remote subnet, this ensures that traffic between these two subnets can flow over the VPN tunnel. For routing, you need to have a static route configured.

It is also advised to configure a black hole route to ensure that VPN traffic does not get routed towards the internet incase your VPN tunnel is down. 

 

Details here: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/913287/basic-s...

 

Thank you. 

Shahan

 

Peter-Wainwright
New Contributor II

By default, FortiOS automatically adds "static" routes to the destination of phase-2 selectors when the phase-1 is of type "dynamic".

Look for the "set add-route enable" command in phase-1.

 

FGT-01 (root) # config vpn ipsec phase1-interface

FGT-01 (phase1-interface) # edit TEST-VPN-P1
new entry 'TEST-VPN-P1' added

FGT-01 (TEST-VPN-P1) # set type dynamic

FGT-01 (TEST-VPN-P1) # show full | grep add
set add-route enable

FGT-01 (TEST-VPN-P1) #

Without this, or when using 0/0 in phase 2, you will need to use static routes.

 

If you want to see what routes are being injected into the static RIB by the IPsec engine, then use:

diag vpn ike routes

 

Regards,

 

Pete

NSE 7
NSE 7
mhanna

Hello 

Thanks for your reply , 

Okay but why both firwall cant ping its interfaces 

i mean when i tried to ping the remote firewall interface from the local firewall console

there is no ping happen and vice versa 

but in same time i can ping all subnet in two way by my labtop

The only way that allowed me to ping both firewall from their console when i use the command

execute ping-option source interface port1 x.x.x.x

but i use command 

execute ping x.x.x.x

its not pingable

So where do you think the issue

Peter-Wainwright

Most likely, your IPsec tunnel interfaces do not have IP addresses on them.

When you execute a ping on a FortiGate, FortiOS does a route lookup for the destination IP to calculate the egress (outgoing) interface.

If you have not specified your source IP ("execute ping-option source ..."), then FortiOS uses the egress interface IP address as the source address of the ICMP packet.

In your case, this is therefore the tunnel IP address - which is likely to be "0.0.0.0". 

 

Pete.

NSE 7
NSE 7
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors