Description
This article describes how to configure a policy route that only certain traffic will traverse through a route-based IPsec VPN tunnel.
Solution
Although a static route with a destination interface of a VPN tunnel does not require a gateway IP address, a policy route does.
The solution is to configure an 'IP' and 'Remote IP' on the virtual tunnel interface, and use the 'Remote IP as the gateway IP address in the policy routes.
1) Define the IP and the Remote IP to be used for the tunnel interface.
Best practice is to choose IP addresses in a subnet that is not currently used on the FortiGate.
This article describes how to configure a policy route that only certain traffic will traverse through a route-based IPsec VPN tunnel.
Solution
Although a static route with a destination interface of a VPN tunnel does not require a gateway IP address, a policy route does.
The solution is to configure an 'IP' and 'Remote IP' on the virtual tunnel interface, and use the 'Remote IP as the gateway IP address in the policy routes.
1) Define the IP and the Remote IP to be used for the tunnel interface.
Best practice is to choose IP addresses in a subnet that is not currently used on the FortiGate.
From CLI:
#config system interface2) Use the 'Remote IP' as the gateway IP address in the policy route.
edit "VPN01"
set vdom "root"
set ip 10.1.1.1 255.255.255.255
set type tunnel
set remote-ip 10.1.1.2 255.255.255.252
set interface "port1"
next
end
From CLI:
As of FortiOS version 6.2, matching policy routing can be checked from the debug flow.
# config router policyNote:
edit 1
set input-device "port3”
set src "VPN01_local"
set dst "VPN01_remote"
set gateway 10.1.1.2
set output-device "VPN01"
next
end
As of FortiOS version 6.2, matching policy routing can be checked from the debug flow.
2019-12-27 16:03:02 id=20085 trace_id=148 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 172.16.1.1:1->192.168.1.1:2048) from port3. type=8, code=0, id=1, seq=87."
2019-12-27 16:03:02 id=20085 trace_id=148 func=init_ip_session_common line=5625 msg="allocate a new session-00975287"
2019-12-27 16:03:02 id=20085 trace_id=148 func=vf_ip_route_input_common line=2581 msg="Match policy routing id=1: to 192.168.1.1 via ifindex-50"
2019-12-27 16:03:02 id=20085 trace_id=148 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-10.1.1.2 via VPN01"
2019-12-27 16:03:02 id=20085 trace_id=148 func=fw_forward_handler line=783 msg="Allowed by Policy-1:"
2019-12-27 16:03:02 id=20085 trace_id=148 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-VPN01"
2019-12-27 16:03:03 id=20085 trace_id=148 func=esp_output4 line=904 msg="IPsec encrypt/auth"
2019-12-27 16:03:03 id=20085 trace_id=148 func=ipsec_output_finish line=622 msg="send to 10.104.7.80 via intf-wan1"
