Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
Honored Contributor

IPSec over vlan => very strange behavior

Heyho,

 

I have the following constellation here:

 

We have a FGT100D for our company here. This has our intranet subnet and also has several vlan interfaces which are tagged on through our switches. Also it has several running IPSec Tunnels to our shops.

 

Now we plan to open an new shop soon and so I needed to set up a new FGT for this.

So I took one, did a reset to factory and then firmware upgrade to 5.4.10 (didn't care for upgrade path since factory defaults). Then did annother reset to factory right afterwards.

Then configured WAN1 to connect to one of our vlans and do dhcp. Also configured the interfaces and vlans for the new shop on this FGT. 

Set up IPSec and routing for our company intranet.

Added this FGT to our FortiManager, did the mappings (Interfaces & adresses) and rolled our default policy package out with the FMG. Then rechecked everything on the FGT. 

FGT is reachable over the vlan and got all needed policies etc. 

Next I set up the counterpart for the IPSec Tunnels on our company FGT, the routing and the policies. With all that one IPSec is supposed to come up (the other cannot because the WAN2 on the new FGT is not connected yet *g*). Those IPSecs are redundant by priority based routing, so that is not a problem.

The one IPSec Tunnel did come up within secs. So I started pinging the ne FGT on its internal IPs (which are reachable only via the ipsec). Thus I didn't get any traffic through at all. Flow Debug on our company FGT showed that the packets machted the correct policy and were indeed routed to the IPSEC Tunnel as they should be. However Flow Debug on the new FGT simply showed me....nothing :(

Rechecked Tunnels and Routing and Policies but all were correct.

Up to now I had set up the IPSec on our Company FGT to use the IP of the new FGT's WAN1 as remote gw and the ISPSEC on the new FGT to use the IP of WAN1 of our company FGT and also set them to the corresponding interface (WAN1 on both sides). 

Next I reconfigured the IPSec on our company FGT to use the Interface of the VLan where the new FGT's WAN1 is in and the other side to use the IP our company FGT has in that vlan as remote gw.

With that it got even weirder: now (as I saw in flow debug) our company FGT startet simply ignoring the static routing over the IPSEC Tunnels and started routing packets to subnets on the new FGT over its default route. WTH?!?

 

I then had enough and reconfigured a physical interface on our company FGT and reconfigured the WAN1 on the new one to connect to this. Gave it an internet access policy and reconfigured IPSec to use this interface and ip.

And asap it all started working as it should do.... WTH again?!?

 

I am still unsure wether this is a bug in FortiOS or just weird due to even weirder protocols ;)

So I chose to not yet open a ticket with TAC so far...

 

Did anyone here encounter the same?

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
0 REPLIES 0
Labels
Top Kudoed Authors