Hi everyone,
I think I need some help. I will try to explain what I'm trying to achieve.
We have a headquarter and three small locations. In our headquarter we have a big FG1500 and on the three small locations we have FGT30E 3G/4G. The locations are connected through eternity circuit and and running OSPF between.
On the small locations I configured dial up IPsec through LTE to our main Fortigate with OSPF.
Everything is working fine on sub locations while connected to the ethernet circuit. I learn routes through OSPF as expected and can reach everything.... The default route is learnd from the headquarter Fortigate and that's fine....
When I disconnect the ethernet circuit the IPSec kicks in and the routes are learnd through the IPSec interface except the default route... Instead of learning my default route form the main Fortigate the default route from the LTE is injected in to the routing table with a distance of 10 I tried to change the distance under the LTE interface but then my IPSec goes down...
Someone any idea how I can fix that... What I'm trying to achieve is that the small Fortigate learns the same subnets and default gateway from the main Fortigate on the IPSec as when connected through ethernet circuit
Thanks
Solved! Go to Solution.
You need to have a /32 static route for the HQ's IP toward the LTE interface to keep the tunnel up. Then you can change the distance higher than OSPF (110).
Sorry, I forgot the LTE was backup. So you need two static routes for the HQ IP (public) /32 toward both ethernet (primary VPN path) and LTE (backup VPN path). I would make LTE side with a high-number priority (lower priority) and set up "link-monitor" to remove the primary static route to go away when it lost pinging via the primary Internet.
Is your main "ethernet" connection to HQ a point-to-point connection or MPLS? Since you didn't mention in the original post, I assumed it's another VPN over a wired-internet. If p2p or mpls, you don't need the static route for the /32 to the main interface. It's only for VPN to come/stay up while the OSPF default route takes it into the tunnel.
You need to have a /32 static route for the HQ's IP toward the LTE interface to keep the tunnel up. Then you can change the distance higher than OSPF (110).
Hi,
Thanks for the reply...
Just wondering... Should I create static route to the WAN ip of the HQ towards the IPSec tunnel interface or the wwan interface for LTE
For the tunnel interface it would looks like this:
config router static
edit 0
set dst 192.168.30.100 255.255.255.255
set device “TUNNEL_INTERFACE"
next
end
LTE. That's where the injected default route was pointing to, right? Which would go away when you change the distance.
Sorry, I forgot the LTE was backup. So you need two static routes for the HQ IP (public) /32 toward both ethernet (primary VPN path) and LTE (backup VPN path). I would make LTE side with a high-number priority (lower priority) and set up "link-monitor" to remove the primary static route to go away when it lost pinging via the primary Internet.
Hi, yes the LTE with IPSec is the backup connection. I wonder if it is necessary to add a static route for the ethernet connection towards the HQ. My fortunate is learning all the routes inclusief the default route through ospf. The same happens when I disconnect the WAN. The connection falls over to the IPsec with this exception that the LTE is injecting its own default route to the routing table and this not what I want
Is your main "ethernet" connection to HQ a point-to-point connection or MPLS? Since you didn't mention in the original post, I assumed it's another VPN over a wired-internet. If p2p or mpls, you don't need the static route for the /32 to the main interface. It's only for VPN to come/stay up while the OSPF default route takes it into the tunnel.
That did the trick.. I added a static route on the sub location towards the HQ on the LTE interface and was able to change the distance... Now the right default route is injected in to the routing table.. Thanks for helping!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.