Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TestUser777
New Contributor

Created on ‎06-26-2024 01:10 AM

VPN, Routing question.

Hi

 

Is there a way, when i guide one of my host into VPN tunnel and it works great.
Is there a way, to ping it over a WAN interface also ?

 

FG_Routing_Test.jpg

Labels:
724
0 Kudos
1 Solution
pminarik
Staff
Staff
In response to TestUser777

Created on ‎07-03-2024 01:46 AM

That sounds like you want policy-based routing (the deciding factor being the source-IP in this case), and for that you'll need two routes towards 192.168.10.0/24 at the same time (ECMP) as a basic requirement.

I don't know what the current situtation is, but traditionally ECMP wasn't allowed for routes from different sources - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-ECMP-with-different-routing... . I guess you could make it work if you had both routes sourced from OSPF? (if it supports ECMP)

[ corrections always welcome ]

View solution in original post

522
8 REPLIES 8
fricci_FTNT
Staff
Staff

Created on ‎06-26-2024 07:24 AM Edited on ‎06-26-2024 07:26 AM

Hi @TestUser777 ,

 

My understanding is that the hosts 192.168.20.2/32 and 192.168.10.2/32 are able to reach each other through the IPsec tunnel thanks to a static route.

The hosts 192.168.20.3/32 and 192.168.10.2/32 can reach each other through OSPF if OSPF is configured properly (you mentioned that they are both in the same area 0).

The below might help:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-troubleshoot-OSPF-neighborship-in-v...

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiOS-routing-RIP-OSPF-BGP-static-...

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/358640/basic-ospf-example


Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
682
TestUser777
New Contributor
In response to fricci_FTNT

Created on ‎06-29-2024 01:45 PM Edited on ‎06-29-2024 01:45 PM

FG2.jpgFG1.jpgThe hosts 192.168.20.3/32 and 192.168.10.2/32 can reach each other through OSPF if OSPF is configured properly (you mentioned that they are both in the same area 0).<---They are and when 192.168.10.2/32 static route are disabled, they can ping each other.

 

Right now i could not ping over WAN.
I have OSPF Area 0 (192.168.10.0/24 is advertised here) over WAN and OSPF Area 1 over VPN.
192.168.10.2/32 is staticaly advertised into VPN tunnel.

Monday i try to remove static routes and advertise 192.168.10.2/32 into OSPF Area 1.

625
0 Kudos
fricci_FTNT
Staff
Staff
In response to TestUser777

Created on ‎07-01-2024 02:35 AM

Hi @TestUser777 ,

 

So if I have understood correctly, you have 192.168.20.3/24 and 192.168.10.2/24 both in area 0. Then you want to have 192.168.20.2/32 advertised in Area 1 inside the VPN tunnel.


Please collect the below outputs in both situations, when the static route is enabled and when it is disabled:

On FG2:
get router info routing-table all | grep 192.168.20.
get router info routing-table database | grep 192.168.20.
get router info routing-table detail 192.168.20.2/32
get router info routing-table detail 192.168.20.3/32

diag ip rtcache list | grep 192.168.20.
get router info kernel | grep 192.168.20.

On FG1:
get router info routing-table all | grep 192.168.10.
get router info routing-table database | grep 192.168.10.
get router info routing-table detail 192.168.10.2/32

diag ip rtcache list | grep 192.168.10.
get router info kernel | grep 192.168.10.

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
575
TestUser777
New Contributor
In response to fricci_FTNT

Created on ‎07-03-2024 12:34 AM

Soon I will give you those outputs.
But what i want to achieve is 192.168.20.3 and 192.168.10.2 can ping each other using OSPF Area 0 over WAN interfaces and 192.168.20.2 can ping 192.168.10.2 over VPN interfaces using OSPF Area 1.
Right now with static routes Ping over VPN works between 192.168.20.2 and 192.168.10.2 :)

532
0 Kudos
pminarik
Staff
Staff
In response to TestUser777

Created on ‎07-03-2024 01:46 AM

That sounds like you want policy-based routing (the deciding factor being the source-IP in this case), and for that you'll need two routes towards 192.168.10.0/24 at the same time (ECMP) as a basic requirement.

I don't know what the current situtation is, but traditionally ECMP wasn't allowed for routes from different sources - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-ECMP-with-different-routing... . I guess you could make it work if you had both routes sourced from OSPF? (if it supports ECMP)

[ corrections always welcome ]
523
fricci_FTNT
Staff
Staff
In response to TestUser777

Created on ‎07-03-2024 02:02 AM Edited on ‎07-03-2024 02:09 AM

Hi @TestUser777 ,

 

I am not sure that you will be able to achieve it only with OSPF, you will have route to 192.168.10.2/32 belonging to area 1 as inter-area route and route to 192.168.10.0/24 belonging to area 0 as intra-area route, from my understanding an intra-area route is always preferred in OSPF.

From the OSPF RFC https://datatracker.ietf.org/doc/html/rfc2328 I read:
------------------------------------

Path-type
        There are four possible types of paths used to route traffic to
        the destination, listed here in decreasing order of preference:
        intra-area, inter-area, type 1 external or type 2 external.
        Intra-area paths indicate destinations belonging to one of the
        router's attached areas.  Inter-area paths are paths to
        destinations in other OSPF areas.

------------------------------------

In your case it would be better to implement a policy route:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
519
TestUser777
New Contributor

Created on ‎07-09-2024 01:12 PM

I tryed to implement Routing Policy.

So i changed routing a little.
Over WAN i'm using static routes. 192.168.20.3 and 2 can ping 192.168.10.2.
Over VPN i advertise OSPF and same ip subnets.
When i try to use Policy routing, pics included i can get a match, but i cannot get a full ping.
Do i have to too reverse Policys also ?

Tnx for all the help and answers :)

FG_Test_Sniffer.jpgFG_Test_RPolicy.jpg

429
0 Kudos
TestUser777
New Contributor

Created on ‎07-10-2024 01:38 PM

I got it to work.
At first i had static route to WAN and OSPF route to VPN.
Only Static route to WAN was in the routing table.


So static route to WAN and VPN did the trick.
Had two different routes to same network over WAN and VPN and Policy Routeing could to it thing

 

Thank you all for your help and guidents :)

415
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.