Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Spiderghom
New Contributor

routing to Public Internet over IPSEC

Hi Guys,

I am testing a setup with 2 x 80F in two branches ( A and B) connected back to Hub (C) via an Ipsec tunnel.

The local LANs behind the branches can ping the hub local lan through the tunnel . Also I configured a second phase2 selectors to allow another local lan ( /29 each) in the branches to get to the internet through the hub. I have added default route via the ipsec interface in each branch and and a firewall policy allowing the second local lan (/29)  and in the hub the required firewall policy.

For branch B which has the second /29 , the ping towards internet via the hub is working but not in the branch A.

I can see under routing monitor that a static router /29 - branch B is showing but not for /29 - branch A.

I am wondering if I am missing anything. I went to compare the config of A and B and couldnt  find  any difference/issue  except the IP scheme is different.

 

15 REPLIES 15
Toshi_Esumi
SuperUser
SuperUser

I'm assuming 2x80F is in HA(a-p) at each branch, and each has only one IPsec to C. Then make sure the C-FGT has those two /29 routes to each IPsec to A and B.
Then you need traceroute from the A's /29 toward the internet to see if it actually goes to C over the tunnel, or not.

I meant "get router info routing-t all" in CLI.

Toshi

Spiderghom

Hi Toshi,

There is no HA. A & B are independent. The final setup will have about 10 of 80F..but i am testing at the moment with two branches.

I did the traceroute and it s not getting anywhere.

 

branch-A # execute traceroute-options source Local-LAN-allowed-to-internet

branch-A # execute traceroute 8.8.8.8 
traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * *

Toshi_Esumi

We need to know the topology at A including the two 80F, and which 80F the /29 is connected as well as the routing-table on the 80F. Again, "get router info routing-t all" then you can remove unrelated part from the entire table before showing it to us.

Toshi

Spiderghom

HUB(C)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.148.x, port17, [1/0]
C 10.112.200.10/32 is directly connected, dc-loopback0
C x.x.148.x/30 is directly connected, port20
S 172.x.x.16/29 [15/0] via to-hub tunnel x.x.128.x, [1/0]

S 192.x.x.8/29 [50/0] is a summary, Null, [1/0]
S 192.x.x.16/29 [50/0] is a summary, Null, [1/0]

 

Branch(A)

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.128.x, wan1, [1/0]
[10/0] via to-hub tunnel x.x.148.x, [1/0]
C x.x.128.x/29 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

 

Branch(B)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via to-hub tunnel x.x.148.x, [1/0]
[10/0] via x.x.166.x, wan1, [1/0]
C x.x.166.x/30 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

 

tb.jpg

Spiderghom

HUB(C)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.148.x, port17, [1/0]
C 10.112.200.10/32 is directly connected, dc-loopback0
C x.x.148.x/30 is directly connected, port20
S 172.x.x.16/29 [15/0] via to-hub tunnel x.x.128.x, [1/0]

S 192.x.x.8/29 [50/0] is a summary, Null, [1/0]
S 192.x.x.16/29 [50/0] is a summary, Null, [1/0]

 

Branch(A)

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.128.x, wan1, [1/0]
[10/0] via to-hub tunnel x.x.148.x, [1/0]
C x.x.128.x/29 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

 

Branch(B)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via to-hub tunnel x.x.148.x, [1/0]
[10/0] via x.x.166.x, wan1, [1/0]
C x.x.166.x/30 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

 

tb.jpg

Spiderghom

HUB(C)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.148.x, port17, [1/0]
C 10.112.200.10/32 is directly connected, dc-loopback0
C x.x.148.x/30 is directly connected, port20
S 172.x.x.16/29 [15/0] via to-hub tunnel x.x.128.x, [1/0]

S 192.x.x.8/29 [50/0] is a summary, Null, [1/0]
S 192.x.x.16/29 [50/0] is a summary, Null, [1/0]

 

Branch(A)

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.128.x, wan1, [1/0]
[10/0] via to-hub tunnel x.x.148.x, [1/0]
C x.x.128.x/29 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

 

Branch(B)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via to-hub tunnel x.x.148.x, [1/0]
[10/0] via x.x.166.x, wan1, [1/0]
C x.x.166.x/30 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

Spiderghom

HUB(C)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.148.x, port17, [1/0]
C 10.112.200.10/32 is directly connected, dc-loopback0
C x.x.148.x/30 is directly connected, port20
S 172.x.x.16/29 [15/0] via to-hub tunnel x.x.128.x, [1/0]
S 172.x.x.24/29 [15/0] via to-hub tunnel x.x.166.x, [1/0]
S 192.x.x.8/29 [50/0] is a summary, Null, [1/0]
S 192.x.x.16/29 [50/0] is a summary, Null, [1/0]

 

Branch(A)

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via x.x.128.x, wan1, [1/0]
[10/0] via to-hub tunnel x.x.148.x, [1/0]
C x.x.128.x/29 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

 

Branch(B)
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via to-hub tunnel x.x.148.x, [1/0]
[10/0] via x.x.166.x, wan1, [1/0]
C x.x.166.x/30 is directly connected, wan1
S 192.x.x.0/26 [10/0] via to-hub tunnel x.x.148.x, [1/0]

Toshi_Esumi

Oh, by the way, your traceroute from inside of 80F might not be efficient. Even if you specified the source IP to be the interface IP of the /29 with "exe traceroute-option source <source_ip>", it wouldn't come through the policy the 80F has.
So you should traceroute from the device inside of the 29. Not from the 80F.

Toshi

Spiderghom

I have nothing connected to /29s. I have done a change where I marked the static route towards the wan interface with higher priority by making it less preferable to the tunnel interface and it's working. my final testing will involve connected physical machines to /29s and see how it goes. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors