FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
welnaggar
Staff
Staff
Description
This article describes how to configure a policy route that only certain traffic will traverse through a route-based IPsec VPN tunnel.

Solution
Although a static route with a destination interface of a VPN tunnel does not require a gateway IP address, a policy route does.
The solution is to configure an 'IP' and 'Remote IP' on the virtual tunnel interface, and use the 'Remote IP as the gateway IP address in the policy routes.

1) Define the IP and the Remote IP to be used for the tunnel interface.
Best practice is to choose IP addresses in a subnet that is not currently used on the FortiGate.




From CLI:
#config system interface
    edit "VPN01"
        set vdom "root"
        set ip 10.1.1.1 255.255.255.255
        set type tunnel
        set remote-ip 10.1.1.2 255.255.255.252
        set interface "port1"
    next
end
2) Use the 'Remote IP' as the gateway IP address in the policy route.




From CLI:
# config router policy
    edit 1
        set input-device "port3”
        set src "VPN01_local"
        set dst "VPN01_remote"
        set gateway 10.1.1.2
        set output-device "VPN01"
    next
end
Note:
As of FortiOS version 6.2, matching policy routing can be checked from the debug flow.
2019-12-27 16:03:02 id=20085 trace_id=148 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 172.16.1.1:1->192.168.1.1:2048) from port3. type=8, code=0, id=1, seq=87."
2019-12-27 16:03:02 id=20085 trace_id=148 func=init_ip_session_common line=5625 msg="allocate a new session-00975287"
2019-12-27 16:03:02 id=20085 trace_id=148 func=vf_ip_route_input_common line=2581 msg="Match policy routing id=1: to 192.168.1.1 via ifindex-50"
2019-12-27 16:03:02 id=20085 trace_id=148 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-10.1.1.2 via VPN01"
2019-12-27 16:03:02 id=20085 trace_id=148 func=fw_forward_handler line=783 msg="Allowed by Policy-1:"
2019-12-27 16:03:02 id=20085 trace_id=148 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-VPN01"
2019-12-27 16:03:03 id=20085 trace_id=148 func=esp_output4 line=904 msg="IPsec encrypt/auth"
2019-12-27 16:03:03 id=20085 trace_id=148 func=ipsec_output_finish line=622 msg="send to 10.104.7.80 via intf-wan1"

Contributors