- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FGT to FGT with 0.0.0.0 and understanding VPN Routing
VPN routing concepts seemed to have changed for any FortiOS 5.2 or higher. It is in the what's new area of 5.2. VPN tunnels now use "add-route" which I don't understand in a 0.0.0.0/0 scenario.
I did many FGT<>FGT with split tunnel VPN and with old routing (Static routes), but not with the new routing.
I need help understanding how routing is controlled without static routes.
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I know nothing has changed with 5.2 routing with IPSec tunnel. With main mode you can leave the networks in phase2 as default 0.0.0.0 (it doesn't show up in CLI) and use static routes to control split tunnel if you want. We use BGP for that part but it's just a routing protocol, no difference from static routes. When we migrated from 5.0 to 5.2 on both sides, we didn't have to change anything. Only differences we noticed were password encryption level and the default DH group/keylife timer values.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know that routing changed, because all my static routes for FGT-to-FGT VPN tunnels were deleted when I upgraded to 5.2.x and this note from "What's new", see screenshot.
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I should mention that I setup my FGT-to-FGT tunnels in dynamic mode so that the site IP address can change without affecting the VPN tunnel.
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The routing hasn't change, that just automate pushing a route into route table when ipsec has been establish.
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something has changed. call it what you will. I am calling it routing, but if routing hasn't changed then something else has.
On the add static route dialog, I used to be able to select my IPSEC VPN tunnel (dynamic) name in the device box, but since upgrading to 5.2.x I can no longer do that. I only see IPSEC VPN tunnel names in the drop down box for static VPN tunnels.
Whether something has changed or not, how do you guys manage routes when you define a FGT-to-FGT tunnel with 0.0.0.0/0 on both sides?
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
