VPN on interface behind (not in routing path) FortiGate
due to the VPN traffic possibly coming in or going out via one of three interfaces (due to BGP) i felt i should configure the VPN on another interface of the FortiGate.
only the VPN process doesn't want to start the VPN now, the debug logs shows:
2021-06-19 14:41:49.269526 ike 0:p1-01:91: could not send IKE Packet(SA_INIT):x.x.x.x:500->y.y.y.y:500, len=248: error 101:Network is unreachable
it set ups the VPN tunnel fine for incoming VPN requests, but it refuses to initiate a VPN itself. tried on both 6.0 and 6.4.
i can sort of understand it, but it feels not needed, if i do ping-options for the same source IP x.x.x.x i can ping y.y.y.y fine.
i can workaround it with a loopback interface, but that means no IPsec traffic offloading. another option is a second VDOM with the network used in the routing direction but that feels adding quite some config.
anyone encountered this and has an another solution to make it work in both directions?
Are the remote sites under your control? If so a possible solutions would be to create multiple VPN tunnels, one for each physical WAN interface IP (i.e. not using an IP in your block of routable IPs)?
Then you can either use SD-WAN to select the appropriate interface or, most likely preferable in your situation create an aggregate interface (if the other side has FGT as well).
Unfortunately not. I must configure many IPSec tunnels for different clients. I have 3 VLANs on wan1. Two are /30 for BGP connection from ISP with a default route, and the third has my public network /28, which I received from IPS. If I set this third VLAN as IPSec source interface, I get error 101:Network is unreachable.
Thx. set ike-policy-route made a difference. P1 and P2 are up, but traffic doesn't go through the tunnel. The curious thing is that Tx counters grow up, but on the other side of the tunnel Rx is 0. package capture looks good, and logs look good but traffic is not flowing throw the tunnel.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.