Technical Tip: Default route over the IPSec VPN for specific source with policy route

nevan · ‎03-14-2024

Description

This article describes how to configure a default route for a specific source(subnet/IP range) with a policy route. Generally, static routes are used to reach the destination over the IPSec VPN and when static routes are configured it usually takes place in the routing table.

In this scenario, if there is already a default route for internet traffic that exists, but another default route is required for a specific source through IPSec VPN, it has to be done using the policy route. After configuring the policy route, it can be noticed that the route is not working, and the general default route is taking place instead of the policy route.

Scope

FortiGate.

Solution

To activate the policy route and to make it work, there must be a reachable route for the traffic.

Policy route:

FGT # config router policy
edit 1
set input-device "local-interface"
set src "6.6.6.6/255.255.255.255" <----local subnet
set dst "0.0.0.0/0.0.0.0"
set gateway 10.109.17.60
set output-device "vpn-tunnel"
next

end

Though the policy route is configured correctly, it can be noticed that it is not working. According to the priority policy, the route should take precedence over the general static routes. In this case, an additional route is required in the static route configuration to match the traffic via the policy route.

To avoid conflict with the default route for internet traffic, the priority should be increased for the additional reachable route where the AD value is the same.

Static route:

FGT # config router static

edit <id>

set status enable

set dst 0.0.0.0 0.0.0.0

set gateway <gateway addr>

set distance 10

set priority 1

set device "WAN-interface"

set comment "default route over WAN interface"

set status enable

set dst 0.0.0.0 0.0.0.0

set gateway <gateway addr>

set distance 10 <----- Same AD value as the default route for internet traffic.

set priority 20 <----- Higher priority to avoid route conflict.

set device "vpn-tunnel"

set comment "default route over VPN tunnel interface"

After the configuration, the additional reachable route for VPN traffic will be active in the routing table, but will not interrupt the default route for the internet traffic for the higher priority value.

Routing Table:

FGT # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.109.63.254, port2, [1/0]
[10/0] via vpn-tunnel tunnel 10.109.17.60, [20/0] <-----

If there is no reachable route, the policy route does not work and the VPN traffic matches the route for internet traffic and it gets dropped with policy id 0.

This result can be identified from the traffic trace flow debug report:

2024-02-22 22:07:19 id=65308 trace_id=36 func=iprope_fwd_check line=831 msg="after iprope_captive_check(): is_capt
ive-0, ret-matched, act-drop, idx-0"
2024-02-22 22:07:19 id=65308 trace_id=36 func=iprope_fwd_auth_check line=850 msg="after iprope_captive_check(): is
_captive-0, ret-matched, act-drop, idx-0"
2024-02-22 22:07:19 id=65308 trace_id=36 func=fw_forward_handler line=835 msg="Denied by forward policy check (pol
icy 0)"<-----

Related articles:

Technical Tip: Configuring the firewall Policy Routes

Technical Tip: Use of Black hole route in site to site IPsec VPN scenarios

Technical Tip: Default route over the IPSec VPN for specific source with policy route

You are leaving our website