Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
boneyard
Valued Contributor

VPN on interface behind (not in routing path) FortiGate

due to the VPN traffic possibly coming in or going out via one of three interfaces (due to BGP) i felt i should configure the VPN on another interface of the FortiGate.

 

only the VPN process doesn't want to start the VPN now, the debug logs shows:

 

2021-06-19 14:41:49.269526 ike 0:p1-01:91: could not send IKE Packet(SA_INIT):x.x.x.x:500->y.y.y.y:500, len=248: error 101:Network is unreachable

 

it set ups the VPN tunnel fine for incoming VPN requests, but it refuses to initiate a VPN itself. tried on both 6.0 and 6.4.

 

i can sort of understand it, but it feels not needed, if i do ping-options for the same source IP x.x.x.x i can ping y.y.y.y fine.

 

i can workaround it with a loopback interface, but that means no IPsec traffic offloading. another option is a second VDOM with the network used in the routing direction but that feels adding quite some config.

 

anyone encountered this and has an another solution to make it work in both directions?

12 REPLIES 12
jps
New Contributor

Same exact scenario and error for me.

Ysiak
New Contributor

I have spent many hours on this, and I believe you must use the loopback interface. I did not find any way to make it with the VLAN interfaces or other physical interfaces.


https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-setup-redundant-point-to-point-IPS... 

 

hrvoje
New Contributor

I have the same issue. Setting "ike-policy-route enable" helped to get VPN tunnel up, but traffic doesn't go through the tunnel.

Labels
Top Kudoed Authors