Lenblock
asked on
Fortigate routing issues over IPsec VPN
Hi
We have a Fortigate 310B, which is our firewall.
Firmware: 5.0.7
We have multiple IPsec VPN tunnels to different companies and from several branch offices etc.
After creating a new physical interface we are seeing that remote locations(branch offices etc.) which is connected to us attempts to use the new physical interface as the default gateway when routing over the IPsec VPN tunnel.
Created another new physical interface, and the issue is the same. The only difference is that remote users over IPsec now sees this interface as their gatway, when routing over the IPsec Tunnel.
Applies only to interface/Route based IPsec VPN tunnels.
The routing sill works from remote locations over IPsec VPN, however we have a a few VPN Concentrators which is critical to our branch offices to access other companies network. As long as a new physical interface is active with an IP-Address the concentrator stops working all together.
Examples where a user from remote location 192.168.133.0/24 tries access a server at our Lan 172.22.0.0/20 and a remote company over a concentrator.
Without the new physical interfaces, the routing is normal
Tracert 172.22.1.11
192.168.133.1
172.22.0.1
172.22.1.11
With a new physcial interface
Tracert 172.22.1.11
192.168.133.1
172.22.29.1
172.22.1.11
With new physical inteface and to remote company over ipsec
Tracert 10.60.60.100
192.168.133.1
172.22.29.1
* * * timeout
* * * timeout
......
Our physical interfaces are as follow:
P1 Internet: Public IP
P5 LAN: 172.22.0.0/20
P9: 172.22.29.1/24 (newly created)
Anyone experienced anything similar with a Fortigate or know what is causing this issue ?
Regards.
We have a Fortigate 310B, which is our firewall.
Firmware: 5.0.7
We have multiple IPsec VPN tunnels to different companies and from several branch offices etc.
After creating a new physical interface we are seeing that remote locations(branch offices etc.) which is connected to us attempts to use the new physical interface as the default gateway when routing over the IPsec VPN tunnel.
Created another new physical interface, and the issue is the same. The only difference is that remote users over IPsec now sees this interface as their gatway, when routing over the IPsec Tunnel.
Applies only to interface/Route based IPsec VPN tunnels.
The routing sill works from remote locations over IPsec VPN, however we have a a few VPN Concentrators which is critical to our branch offices to access other companies network. As long as a new physical interface is active with an IP-Address the concentrator stops working all together.
Examples where a user from remote location 192.168.133.0/24 tries access a server at our Lan 172.22.0.0/20 and a remote company over a concentrator.
Without the new physical interfaces, the routing is normal
Tracert 172.22.1.11
192.168.133.1
172.22.0.1
172.22.1.11
With a new physcial interface
Tracert 172.22.1.11
192.168.133.1
172.22.29.1
172.22.1.11
With new physical inteface and to remote company over ipsec
Tracert 10.60.60.100
192.168.133.1
172.22.29.1
* * * timeout
* * * timeout
......
Our physical interfaces are as follow:
P1 Internet: Public IP
P5 LAN: 172.22.0.0/20
P9: 172.22.29.1/24 (newly created)
Anyone experienced anything similar with a Fortigate or know what is causing this issue ?
Regards.
ASKER
Hi
Tried that, without luck.
I've set the physical interface to deny ping (icmp), and created no policies for it.
The remote computer still uses the Physical interface as a gateway.
Tried that, without luck.
I've set the physical interface to deny ping (icmp), and created no policies for it.
The remote computer still uses the Physical interface as a gateway.
Perhaps this will help?
https://www.experts-exchange.com/questions/25099833/Fortigate-IPSec-VPN-over-secondary-WAN-link.html
Hopefully someone with more fortigate experience will show up.
https://www.experts-exchange.com/questions/25099833/Fortigate-IPSec-VPN-over-secondary-WAN-link.html
Hopefully someone with more fortigate experience will show up.
what routes are setup for the device?
ASKER
Hi
Static routes for the following:
Default route to internet.
All IPsec VPN Interface Based Tunnels.
All Branch offices which is connected over our IPS's network
Regards.
Static routes for the following:
Default route to internet.
All IPsec VPN Interface Based Tunnels.
All Branch offices which is connected over our IPS's network
Regards.
ASKER
Hi
Possibly found the cause for this.
Each Interface on the Fortigate is given an index number.
When creating the new interface on port9 it was given an index number lower than port5.
Fortigate decides which interface should be used as the next hop based on the index number.
Therefore remote computers over an IPsec Interface would use port9 as their next hop.
Looking into how we would go about changing the index number for an interface.
Not yet found out how.
Anyone know how or can suggest a different solution ?
Regards.
Possibly found the cause for this.
Each Interface on the Fortigate is given an index number.
When creating the new interface on port9 it was given an index number lower than port5.
Fortigate decides which interface should be used as the next hop based on the index number.
Therefore remote computers over an IPsec Interface would use port9 as their next hop.
Looking into how we would go about changing the index number for an interface.
Not yet found out how.
Anyone know how or can suggest a different solution ?
Regards.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Enabling vdom solves it.
http://community.spiceworks.com/topic/409597-fortigate-80c-configuring-an-interface-mode-ipsec-site-to-site-vpn