Hello
Kindly i have a question which is
I configured a VPN ipsec Custom between 2 site ,Dial UP
but i discoved that i have to create Static Route on both FortiGate devices to reach them from each site
so i have a concern why i need to create Static Route
Why there is no reachability without static route although on the VPN setting there is a creation for Local Subnet and Remote subnet
So kindly advice
Hi mhanna,
A static route is necessary to ensure that traffic is going via the correct interface.
In the VPN setting, for phase2 when you add a local subnet and a remote subnet, this ensures that traffic between these two subnets can flow over the VPN tunnel. For routing, you need to have a static route configured.
It is also advised to configure a black hole route to ensure that VPN traffic does not get routed towards the internet incase your VPN tunnel is down.
Thank you.
Shahan
By default, FortiOS automatically adds "static" routes to the destination of phase-2 selectors when the phase-1 is of type "dynamic".
Look for the "set add-route enable" command in phase-1.
FGT-01 (root) # config vpn ipsec phase1-interface
FGT-01 (phase1-interface) # edit TEST-VPN-P1
new entry 'TEST-VPN-P1' added
FGT-01 (TEST-VPN-P1) # set type dynamic
FGT-01 (TEST-VPN-P1) # show full | grep add
set add-route enable
FGT-01 (TEST-VPN-P1) #
Without this, or when using 0/0 in phase 2, you will need to use static routes.
If you want to see what routes are being injected into the static RIB by the IPsec engine, then use:
diag vpn ike routes
Regards,
Pete
Hello
Thanks for your reply ,
Okay but why both firwall cant ping its interfaces
i mean when i tried to ping the remote firewall interface from the local firewall console
there is no ping happen and vice versa
but in same time i can ping all subnet in two way by my labtop
The only way that allowed me to ping both firewall from their console when i use the command
execute ping-option source interface port1 x.x.x.x
but i use command
execute ping x.x.x.x
its not pingable
So where do you think the issue
Created on 01-03-2023 02:58 AM Edited on 01-03-2023 02:59 AM
Most likely, your IPsec tunnel interfaces do not have IP addresses on them.
When you execute a ping on a FortiGate, FortiOS does a route lookup for the destination IP to calculate the egress (outgoing) interface.
If you have not specified your source IP ("execute ping-option source ..."), then FortiOS uses the egress interface IP address as the source address of the ICMP packet.
In your case, this is therefore the tunnel IP address - which is likely to be "0.0.0.0".
Pete.
This is actually an interesting question.
On the one hand, why should we add a "static route" why the local/remote subnets mentioned in the selectors. On the other hand, it is what it is :)
Anyway, In thinking this through, and by looking at the comments:
1. a suggestion for 'add-route" is equal to a static route. The difference is that one is automatic static route "add-route", and one is manual, by adding manually a static route.
2. Two solutions I can think about:
2.1 ADVPN with iBGP
2.2 policy based IPSEC VPN
Even the "mode-cfg-allow-client-selector" would need the "add-route" for the selectors for work in a dialup VPN with mode-cfg enabled.
Am I wrong ?
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.