Fortigate routing issues over IPsec VPN


We have a Fortigate 310B, which is our firewall.
Firmware: 5.0.7

We have multiple IPsec VPN tunnels to different companies and from several branch offices etc.

After creating a new physical interface we are seeing that remote locations(branch offices etc.) which is connected to us attempts to use the new physical interface as the default gateway when routing over the IPsec VPN tunnel.

Created another new physical interface, and the issue is the same. The only difference is that remote users over IPsec now sees this interface as their gatway, when routing over the IPsec Tunnel.

Applies only to interface/Route based IPsec VPN tunnels.

The routing sill works from remote locations over IPsec VPN, however we have a a few VPN Concentrators which is critical to our branch offices to access other companies network. As long as a new physical interface is active with an IP-Address the concentrator stops working all together.

Examples where a user from remote location tries access a server at our Lan and a remote company over a concentrator.

Without the new physical interfaces, the routing is normal

With a new physcial interface

With new physical inteface and to remote company over ipsec
* * * timeout
* * * timeout

Our physical interfaces are as follow:
P1 Internet: Public IP
P9: (newly created)

Anyone experienced anything similar with a Fortigate or know what is causing this issue ?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Aaron TomoskyDirector of Solutions ConsultingCommented:
No personal experience, but my google-fu has found references to the placement of the policy in the config having effects like this.
LenblockAuthor Commented:

Tried that, without luck.

I've set the physical interface to deny ping (icmp), and created no policies for it.
The remote computer still uses the Physical interface as a gateway.
Aaron TomoskyDirector of Solutions ConsultingCommented:
Perhaps this will help?

Hopefully someone with more fortigate experience will show up.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

Jakob DigranesSenior ConsultantCommented:
what routes are setup for the device?
LenblockAuthor Commented:

Static routes for the following:

Default route to internet.
All IPsec VPN Interface Based Tunnels.
All Branch offices which is connected over our IPS's network

LenblockAuthor Commented:

Possibly found the cause for this.

Each Interface on the Fortigate is given an index number.
When creating the new interface on port9 it was given an index number lower than port5.
Fortigate decides which interface should be used as the next hop based on the index number.

Therefore remote computers over an IPsec Interface would use port9 as their next hop.

Looking into how we would go about changing the index number for an interface.
Not yet found out how.

Anyone know how or can suggest a different solution ?

LenblockAuthor Commented:

For any others looking for the answer:
If you enable multiple networks on multiple ports on a fortigate without vdom it will use the port with the lowest index as the default next hop in routing. You cannot change the index number. This is a problem if you have a IPsec concentrator.

Enabling vdom and separating the additional network solves this issue.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LenblockAuthor Commented:
Enabling vdom solves it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.