Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AhmedGalal
New Contributor

Created on ‎07-17-2018 02:50 AM

VPN mechanism

Hi All, 

 

i have a question about IPsec Site to Site Tunnel ... while establishing the tunnel how is the configured source interface communicate to the destination tunnel address ??? is it through routing table or it just send traffic out of the configured interface ??????

5000
0 Kudos
8 REPLIES 8
ede_pfau
SuperUser
SuperUser

Created on ‎07-17-2018 02:53 AM

Interface-based (or 'route based') IPsec VPN always needs a route to the destination subnet, pointing to the local tunnel interface. The phase1 and phase2 definitions won't suffice.

If you use the VPN Wizard, it will not only gather all phase1 and phase2 information but create a static route, address objects and policies for this VPN.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2877
0 Kudos
AhmedGalal
New Contributor
In response to ede_pfau

Created on ‎07-17-2018 03:42 AM

this is not what i meant not the tunnel destination network  what i mean the destination tunnel IP the real IP that Source Tunnel connect to establish the tunnel.

2877
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to AhmedGalal

Created on ‎07-17-2018 04:11 AM

Ah, sorry, my fault.

If you mean the remote public address of the remote VPN gateway, that is found via the routing table, like any other target. So it might be found using the default route, or any more detailed route you configure.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2877
0 Kudos
AhmedGalal
New Contributor
In response to ede_pfau

Created on ‎07-17-2018 04:23 AM

are you sure that its using the routing table because am configuring a source interface shouldn't it sent the packets out of this interface directly ???

2877
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to AhmedGalal

Created on ‎07-17-2018 04:26 AM

Quite sure.

Try this: delete the default route, and watch the VPN. It will not connect. (Or I'll stand corrected.)

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2877
0 Kudos
rwpatterson
Valued Contributor III
In response to ede_pfau

Created on ‎07-17-2018 05:24 AM

ede_pfau wrote:

Quite sure.

Try this: delete the default route, and watch the VPN. It will not connect. (Or I'll stand corrected.)

If the VPN isn't configured using the default gateway, then nothing will happen... For example, you have a second non-IPSec route to another entity over a different interface and have a VPN configured down there, killing the default gateway will have no effect on this traffic. There will already be a static entry for this separate entity.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
2877
0 Kudos
AhmedGalal
New Contributor
In response to rwpatterson

Created on ‎07-17-2018 05:39 AM

well i cant delete the default route  , but what you are saying mean that if you have load balancing default route you cannot create IPsec tunnel through one of the ISPs !!!

2877
0 Kudos
AhmedGalal
New Contributor
In response to AhmedGalal

Created on ‎07-17-2018 06:06 AM

sure i mean over SD WAN 

2877
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.