Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Spiderghom
New Contributor

Created on ‎10-21-2024 08:59 PM

routing to Public Internet over IPSEC

Hi Guys,

I am testing a setup with 2 x 80F in two branches ( A and B) connected back to Hub (C) via an Ipsec tunnel.

The local LANs behind the branches can ping the hub local lan through the tunnel . Also I configured a second phase2 selectors to allow another local lan ( /29 each) in the branches to get to the internet through the hub. I have added default route via the ipsec interface in each branch and and a firewall policy allowing the second local lan (/29)  and in the hub the required firewall policy.

For branch B which has the second /29 , the ping towards internet via the hub is working but not in the branch A.

I can see under routing monitor that a static router /29 - branch B is showing but not for /29 - branch A.

I am wondering if I am missing anything. I went to compare the config of A and B and couldnt  find  any difference/issue  except the IP scheme is different.

 

Labels:
988
0 Kudos
15 REPLIES 15
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-21-2024 10:28 PM Edited on ‎10-21-2024 10:31 PM

I'm assuming 2x80F is in HA(a-p) at each branch, and each has only one IPsec to C. Then make sure the C-FGT has those two /29 routes to each IPsec to A and B.
Then you need traceroute from the A's /29 toward the internet to see if it actually goes to C over the tunnel, or not.

I meant "get router info routing-t all" in CLI.

Toshi

707
Spiderghom
New Contributor
In response to Toshi_Esumi

Created on ‎10-22-2024 12:01 AM

Hi Toshi,

There is no HA. A & B are independent. The final setup will have about 10 of 80F..but i am testing at the moment with two branches.

I did the traceroute and it s not getting anywhere.

 

branch-A # execute traceroute-options source Local-LAN-allowed-to-internet

branch-A # execute traceroute 8.8.8.8 
traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * *

694
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Spiderghom

Created on ‎10-22-2024 07:43 AM

We need to know the topology at A including the two 80F, and which 80F the /29 is connected as well as the routing-table on the 80F. Again, "get router info routing-t all" then you can remove unrelated part from the entire table before showing it to us.

Toshi

638
0 Kudos
Spiderghom
New Contributor
In response to Toshi_Esumi

Created on ‎10-22-2024 10:19 PM

HUB(C)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.148.x, port17, [1/0]
C 10.112.200.10/32 is directly connected, dc-loopback0
C x.x.148.x/30 is directly connected, port20
S 172.x.x.16/29 [15/0] via to-hub tunnel x.x.128.x, [1/0]

S 192.x.x.8/29 [50/0] is a summary, Null, [1/0]
S 192.x.x.16/29 [50/0] is a summary, Null, [1/0]

 

Branch(A)

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.128.x, wan1, [1/0]
[10/0] via to-hub tunnel x.x.148.x, [1/0]
C x.x.128.x/29 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

 

Branch(B)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via to-hub tunnel x.x.148.x, [1/0]
[10/0] via x.x.166.x, wan1, [1/0]
C x.x.166.x/30 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

 

tb.jpg

540
0 Kudos
Spiderghom
New Contributor
In response to Toshi_Esumi

Created on ‎10-22-2024 11:13 PM

HUB(C)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.148.x, port17, [1/0]
C 10.112.200.10/32 is directly connected, dc-loopback0
C x.x.148.x/30 is directly connected, port20
S 172.x.x.16/29 [15/0] via to-hub tunnel x.x.128.x, [1/0]

S 192.x.x.8/29 [50/0] is a summary, Null, [1/0]
S 192.x.x.16/29 [50/0] is a summary, Null, [1/0]

 

Branch(A)

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.128.x, wan1, [1/0]
[10/0] via to-hub tunnel x.x.148.x, [1/0]
C x.x.128.x/29 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

 

Branch(B)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via to-hub tunnel x.x.148.x, [1/0]
[10/0] via x.x.166.x, wan1, [1/0]
C x.x.166.x/30 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

 

tb.jpg

540
0 Kudos
Spiderghom
New Contributor
In response to Toshi_Esumi

Created on ‎10-22-2024 11:13 PM

HUB(C)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.148.x, port17, [1/0]
C 10.112.200.10/32 is directly connected, dc-loopback0
C x.x.148.x/30 is directly connected, port20
S 172.x.x.16/29 [15/0] via to-hub tunnel x.x.128.x, [1/0]

S 192.x.x.8/29 [50/0] is a summary, Null, [1/0]
S 192.x.x.16/29 [50/0] is a summary, Null, [1/0]

 

Branch(A)

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.128.x, wan1, [1/0]
[10/0] via to-hub tunnel x.x.148.x, [1/0]
C x.x.128.x/29 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

 

Branch(B)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via to-hub tunnel x.x.148.x, [1/0]
[10/0] via x.x.166.x, wan1, [1/0]
C x.x.166.x/30 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

541
0 Kudos
Spiderghom
New Contributor
In response to Toshi_Esumi

Created on ‎10-22-2024 11:32 PM

HUB(C)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.148.x, port17, [1/0]
C 10.112.200.10/32 is directly connected, dc-loopback0
C x.x.148.x/30 is directly connected, port20
S 172.x.x.16/29 [15/0] via to-hub tunnel x.x.128.x, [1/0]
S 172.x.x.24/29 [15/0] via to-hub tunnel x.x.166.x, [1/0]
S 192.x.x.8/29 [50/0] is a summary, Null, [1/0]
S 192.x.x.16/29 [50/0] is a summary, Null, [1/0]

 

Branch(A)

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.128.x, wan1, [1/0]
[10/0] via to-hub tunnel x.x.148.x, [1/0]
C x.x.128.x/29 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

 

Branch(B)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via to-hub tunnel x.x.148.x, [1/0]
[10/0] via x.x.166.x, wan1, [1/0]
C x.x.166.x/30 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

541
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎10-22-2024 11:35 PM

Oh, by the way, your traceroute from inside of 80F might not be efficient. Even if you specified the source IP to be the interface IP of the /29 with "exe traceroute-option source <source_ip>", it wouldn't come through the policy the 80F has.
So you should traceroute from the device inside of the 29. Not from the 80F.

Toshi

565
0 Kudos
Spiderghom
New Contributor
In response to Toshi_Esumi

Created on ‎10-23-2024 02:41 AM

I have nothing connected to /29s. I have done a change where I marked the static route towards the wan interface with higher priority by making it less preferable to the tunnel interface and it's working. my final testing will involve connected physical machines to /29s and see how it goes. 

525
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.