Hi
Is there a way, when i guide one of my host into VPN tunnel and it works great.
Is there a way, to ping it over a WAN interface also ?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
That sounds like you want policy-based routing (the deciding factor being the source-IP in this case), and for that you'll need two routes towards 192.168.10.0/24 at the same time (ECMP) as a basic requirement.
I don't know what the current situtation is, but traditionally ECMP wasn't allowed for routes from different sources - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-ECMP-with-different-routing... . I guess you could make it work if you had both routes sourced from OSPF? (if it supports ECMP)
Hi @TestUser777 ,
My understanding is that the hosts 192.168.20.2/32 and 192.168.10.2/32 are able to reach each other through the IPsec tunnel thanks to a static route.
The hosts 192.168.20.3/32 and 192.168.10.2/32 can reach each other through OSPF if OSPF is configured properly (you mentioned that they are both in the same area 0).
The below might help:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-troubleshoot-OSPF-neighborship-in-v...
https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/358640/basic-ospf-example
Best regards,
Created on 06-29-2024 01:45 PM Edited on 06-29-2024 01:45 PM
The hosts 192.168.20.3/32 and 192.168.10.2/32 can reach each other through OSPF if OSPF is configured properly (you mentioned that they are both in the same area 0).<---They are and when 192.168.10.2/32 static route are disabled, they can ping each other.
Right now i could not ping over WAN.
I have OSPF Area 0 (192.168.10.0/24 is advertised here) over WAN and OSPF Area 1 over VPN.
192.168.10.2/32 is staticaly advertised into VPN tunnel.
Monday i try to remove static routes and advertise 192.168.10.2/32 into OSPF Area 1.
Hi @TestUser777 ,
So if I have understood correctly, you have 192.168.20.3/24 and 192.168.10.2/24 both in area 0. Then you want to have 192.168.20.2/32 advertised in Area 1 inside the VPN tunnel.
Please collect the below outputs in both situations, when the static route is enabled and when it is disabled:
On FG2:
get router info routing-table all | grep 192.168.20.
get router info routing-table database | grep 192.168.20.
get router info routing-table detail 192.168.20.2/32
get router info routing-table detail 192.168.20.3/32
diag ip rtcache list | grep 192.168.20.
get router info kernel | grep 192.168.20.
On FG1:
get router info routing-table all | grep 192.168.10.
get router info routing-table database | grep 192.168.10.
get router info routing-table detail 192.168.10.2/32
diag ip rtcache list | grep 192.168.10.
get router info kernel | grep 192.168.10.
Best regards,
Soon I will give you those outputs.
But what i want to achieve is 192.168.20.3 and 192.168.10.2 can ping each other using OSPF Area 0 over WAN interfaces and 192.168.20.2 can ping 192.168.10.2 over VPN interfaces using OSPF Area 1.
Right now with static routes Ping over VPN works between 192.168.20.2 and 192.168.10.2 :)
That sounds like you want policy-based routing (the deciding factor being the source-IP in this case), and for that you'll need two routes towards 192.168.10.0/24 at the same time (ECMP) as a basic requirement.
I don't know what the current situtation is, but traditionally ECMP wasn't allowed for routes from different sources - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-ECMP-with-different-routing... . I guess you could make it work if you had both routes sourced from OSPF? (if it supports ECMP)
Created on 07-03-2024 02:02 AM Edited on 07-03-2024 02:09 AM
Hi @TestUser777 ,
I am not sure that you will be able to achieve it only with OSPF, you will have route to 192.168.10.2/32 belonging to area 1 as inter-area route and route to 192.168.10.0/24 belonging to area 0 as intra-area route, from my understanding an intra-area route is always preferred in OSPF.
From the OSPF RFC https://datatracker.ietf.org/doc/html/rfc2328 I read:
------------------------------------
Path-type There are four possible types of paths used to route traffic to the destination, listed here in decreasing order of preference: intra-area, inter-area, type 1 external or type 2 external. Intra-area paths indicate destinations belonging to one of the router's attached areas. Inter-area paths are paths to destinations in other OSPF areas.
------------------------------------
In your case it would be better to implement a policy route:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...
Best regards,
I tryed to implement Routing Policy.
So i changed routing a little.
Over WAN i'm using static routes. 192.168.20.3 and 2 can ping 192.168.10.2.
Over VPN i advertise OSPF and same ip subnets.
When i try to use Policy routing, pics included i can get a match, but i cannot get a full ping.
Do i have to too reverse Policys also ?
Tnx for all the help and answers :)
I got it to work.
At first i had static route to WAN and OSPF route to VPN.
Only Static route to WAN was in the routing table.
So static route to WAN and VPN did the trick.
Had two different routes to same network over WAN and VPN and Policy Routeing could to it thing
Thank you all for your help and guidents :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.