Use Policy Based Route with IPSec VPN

pc-nico · ‎04-25-2023

I have successfully configured a site-to-site VPN connection between 2 Fortigates.

The two subnets of the locations can also reach each other with static routes.

However, if I create a policy-based route instead of a static route, no data is transferred.

Unfortunately I didn't find a suitable article about FortiOS 7.2.
This article cannot be implemented this way under 7.2: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-policy-routes-for-route-based-in...

Can someone give me a tip here?

gfleming · ‎04-27-2023

Why is it not suitable for 7.2? I have configured a policy route pointing to VPN on my FGT 7.2 no problem.

Cheers,
Graham

View solution in original post

pc-nico · ‎04-28-2023

works like a charm....

Solution: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-policy-routes-for-route-based-in...

View solution in original post

gfleming · ‎04-25-2023

Can you please give us an idea of what you are trying to accomplish with the policy route?

Cheers,
Graham

pc-nico · ‎04-25-2023

I only want to route traffic into the VPN that comes from specific sender IP addresses.

With static routes I can't restrict the source IP address. Of course I can also make the restriction via the firewall policy, but I would like to restrict it directly in the routing.

srajeswaran · ‎04-26-2023

What is the error you are getting with 7.2 , are you not able to configure the interfaces or policy routes?

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

pc-nico · ‎04-26-2023

i can configure the policy but it is not applied.

As far as I found out, based on the KB, the interface and gateway must always be configured for a policy-based route.
this is not possible with a vpn interface.

When I check the routing monitor, I see that the default routing rule 0.0.0.0 is matched, which of course does not lead to success.

gfleming · ‎04-26-2023

Did you follow the instructions in the KB that state "The solution is to configure an 'IP' and 'Remote IP' on the virtual tunnel interface, and use the 'Remote IP as the gateway IP address in the policy routes."

Cheers,
Graham

pc-nico · ‎04-26-2023

see my first post... I know this KB but it is not suitable for 7.2

gfleming · ‎04-27-2023

Why is it not suitable for 7.2? I have configured a policy route pointing to VPN on my FGT 7.2 no problem.

Cheers,
Graham

pc-nico · ‎04-27-2023

under network -> interface I don't see any VPN interface of the Tunnel Interface type.

The only tunnel type interface is the "NAT interface (naf.root)"

Edit:

ok guy, i'm really too blind... next to the WAN interface is a "plus" sign and below that is the VPN interface....

I'll try that right now.... thank you very much

pc-nico · ‎04-28-2023

works like a charm....

Solution: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-policy-routes-for-route-based-in...

Use Policy Based Route with IPSec VPN

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website