Longest Match Routing

Author
aguerriero
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/01 10:49:06
  • Status: offline
2021/02/23 07:21:39 (permalink)
0

Longest Match Routing

With other network vendors I can override a local interface by using a longer bit match for the prefix/mask. 
 
Say I have 172.16.0.0/24 and 172.16.1.0/24 at site 1 but I want to reach 172.16.0.10/32 at site 2 from 172.16.1.0/24 over the VPN tunnel. I can create the specific host route and create a /32 phase 2 SA. 

The problem I am seeing is that the /32 does not override a locally configured interface with a shorter mask length. Even if I disable site 1s 172.16.0.0/24 interface, nothing will route over the tunnel. If I change the address on the site 1 interface to something not in that range then it works. 

At the very least I would expect that disabling the site 1 interface would allow me to route over the VPN to site 2. 
 
This is on 6.2.7



#1

3 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 2450
    • Scores: 237
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Longest Match Routing 2021/02/23 09:03:04 (permalink)
    0
    I didn't know the answer so I tested it myself. It's working in my environment. I borrowed one of available IPs from my /28 LAN and placed the /32 as a loopback interface on the opposite side of the IPsec tunnel. Then pinged from 3 sources:
    1) the FGT itself (picks up the tunnel interface IP for the source)
    2) coming from other interface (wifi)
    3) coming from the /28 subnet
    all got through the tunnel (I was sniffing on both sides of the tunnel). My local FGT is FG50E 6.2.7.
    I should try running "flow debug" to see how your FGT is handling the packets.
    #2
    aguerriero
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/11/01 10:49:06
    • Status: offline
    Re: Longest Match Routing 2021/02/23 09:15:25 (permalink)
    0
    Weird. I will have to try again in a lab environment. I ended up using overlapping NAT.
    #3
    emnoc
    Expert Member
    • Total Posts : 5979
    • Scores: 402
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Longest Match Routing 2021/02/23 09:49:54 (permalink)
    0
    Yes longest match should always win 
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #4
    Jump to:
    © 2021 APG vNext Commercial Version 5.5