Solved

Fortigate routing issues over IPsec VPN

Posted on 2014-10-14
8
1,077 Views
Last Modified: 2014-11-23
Hi

We have a Fortigate 310B, which is our firewall.
Firmware: 5.0.7

We have multiple IPsec VPN tunnels to different companies and from several branch offices etc.

After creating a new physical interface we are seeing that remote locations(branch offices etc.) which is connected to us attempts to use the new physical interface as the default gateway when routing over the IPsec VPN tunnel.

Created another new physical interface, and the issue is the same. The only difference is that remote users over IPsec now sees this interface as their gatway, when routing over the IPsec Tunnel.

Applies only to interface/Route based IPsec VPN tunnels.

The routing sill works from remote locations over IPsec VPN, however we have a a few VPN Concentrators which is critical to our branch offices to access other companies network. As long as a new physical interface is active with an IP-Address the concentrator stops working all together.

Examples where a user from remote location 192.168.133.0/24 tries access a server at our Lan 172.22.0.0/20 and a remote company over a concentrator.

Without the new physical interfaces, the routing is normal
Tracert 172.22.1.11
192.168.133.1
172.22.0.1
172.22.1.11

With a new physcial interface
Tracert 172.22.1.11
192.168.133.1
172.22.29.1
172.22.1.11

With new physical inteface and to remote company over ipsec
Tracert 10.60.60.100
192.168.133.1
172.22.29.1
* * * timeout
* * * timeout
......

Our physical interfaces are as follow:
P1 Internet: Public IP
P5 LAN: 172.22.0.0/20
P9: 172.22.29.1/24 (newly created)


Anyone experienced anything similar with a Fortigate or know what is causing this issue ?

Regards.
0
Comment
Question by:Lenblock
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
8 Comments
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40381342
No personal experience, but my google-fu has found references to the placement of the policy in the config having effects like this.
http://community.spiceworks.com/topic/409597-fortigate-80c-configuring-an-interface-mode-ipsec-site-to-site-vpn
0
 

Author Comment

by:Lenblock
ID: 40381814
Hi

Tried that, without luck.

I've set the physical interface to deny ping (icmp), and created no policies for it.
The remote computer still uses the Physical interface as a gateway.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40382579
Perhaps this will help?
http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_25099833.html

Hopefully someone with more fortigate experience will show up.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 40383726
what routes are setup for the device?
0
 

Author Comment

by:Lenblock
ID: 40383934
Hi

Static routes for the following:

Default route to internet.
All IPsec VPN Interface Based Tunnels.
All Branch offices which is connected over our IPS's network

Regards.
0
 

Author Comment

by:Lenblock
ID: 40386270
Hi

Possibly found the cause for this.

Each Interface on the Fortigate is given an index number.
When creating the new interface on port9 it was given an index number lower than port5.
Fortigate decides which interface should be used as the next hop based on the index number.

Therefore remote computers over an IPsec Interface would use port9 as their next hop.

Looking into how we would go about changing the index number for an interface.
Not yet found out how.

Anyone know how or can suggest a different solution ?

Regards.
0
 

Accepted Solution

by:
Lenblock earned 0 total points
ID: 40451735
Hi

For any others looking for the answer:
If you enable multiple networks on multiple ports on a fortigate without vdom it will use the port with the lowest index as the default next hop in routing. You cannot change the index number. This is a problem if you have a IPsec concentrator.

Enabling vdom and separating the additional network solves this issue.
0
 

Author Closing Comment

by:Lenblock
ID: 40460415
Enabling vdom solves it.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question