Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pc-nico
New Contributor II

Use Policy Based Route with IPSec VPN

I have successfully configured a site-to-site VPN connection between 2 Fortigates.

The two subnets of the locations can also reach each other with static routes.

However, if I create a policy-based route instead of a static route, no data is transferred.

Unfortunately I didn't find a suitable article about FortiOS 7.2.
This article cannot be implemented this way under 7.2: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-policy-routes-for-route-based-in...

Can someone give me a tip here?

2 Solutions
gfleming

Why is it not suitable for 7.2? I have configured a policy route pointing to VPN on my FGT 7.2 no problem.

Cheers,
Graham

View solution in original post

pc-nico
New Contributor II

9 REPLIES 9
gfleming
Staff
Staff

Can you please give us an idea of what you are trying to accomplish with the policy route?

Cheers,
Graham
pc-nico
New Contributor II

I only want to route traffic into the VPN that comes from specific sender IP addresses.

With static routes I can't restrict the source IP address. Of course I can also make the restriction via the firewall policy, but I would like to restrict it directly in the routing.

srajeswaran

What is the error you are getting with 7.2 , are you not able to configure the interfaces or policy routes?

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
pc-nico
New Contributor II

i can configure the policy but it is not applied.

As far as I found out, based on the KB, the interface and gateway must always be configured for a policy-based route.
this is not possible with a vpn interface.

When I check the routing monitor, I see that the default routing rule 0.0.0.0 is matched, which of course does not lead to success.

gfleming

Did you follow the instructions in the KB that state "The solution is to configure an 'IP' and 'Remote IP' on the virtual tunnel interface, and use the 'Remote IP as the gateway IP address in the policy routes."

Cheers,
Graham
pc-nico
New Contributor II

see my first post... I know this KB but it is not suitable for 7.2

gfleming

Why is it not suitable for 7.2? I have configured a policy route pointing to VPN on my FGT 7.2 no problem.

Cheers,
Graham
pc-nico
New Contributor II

under network -> interface I don't see any VPN interface of the Tunnel Interface type.

The only tunnel type interface is the "NAT interface (naf.root)"

 

Edit:

ok guy, i'm really too blind... next to the WAN interface is a "plus" sign and below that is the VPN interface....

I'll try that right now.... thank you very much

 

 

pc-nico
New Contributor II

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors