Hot![FortiOS 7.0] - Gateway IP in static routes for vpn tunnel interface

Author
DG
New Member
  • Total Posts : 7
  • Scores: 2
  • Reward points: 0
  • Status: offline
2021/08/31 05:46:21 (permalink)
0

[FortiOS 7.0] - Gateway IP in static routes for vpn tunnel interface

Hello,
  in the static routes page, the Gateway IP shown for an ip sec vpn tunnel internface is the public ip of the remote endpoint. FortiOS 6 shows the private ip of the remote endpoint. Personally I think the public ip shown in the routing table as the next hop for a private subnet is misleading:

 
Does anyone know if it's working as intended or it's a graphical bug and I should report it?
 
Thank you
#1

2 Replies Related Threads

    Kangming_FTNT
    Silver Member
    • Total Posts : 63
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/09/17 18:55:22
    • Status: online
    Re: [FortiOS 7.0] - Gateway IP in static routes for vpn tunnel interface 2021/09/03 01:04:00 (permalink)
    0
    Hi DG, 
     
    On the FOS7.0 platform, tunnel id is used for a new IPsec kernel implementation.
     
    An IPsec tunnel has a tunnel id. Normally this is the remote gateway of the tunnel. For tunnels with the same remote gateway, the tunnel id will be randomly assigned and will be different from the remote gateway. The tunnel id is printed in "diagnose vpn tunnel list".
     
    A route also has a tunnel id. The tunnel id in a route coincides with the gateway of the route. That means when a route directs traffic to an IPsec interface.
     
    It should be noted that the next-hop of the route of the VIT IPsec VPN tunnel is only a tunnel-ID identifier, not the real route next-hop IP, which is different from our ordinary route next hop. 
     
    Therefore, the VPN route we see in the latest V7.0.1 is like this:
    S 10.61.0.0/16 [10/0] via t1 tunnel 63.1.1.1, [51/0]
    B 211.211.211.211/32 [200/0] via 10.1.14.1 (recursive via 64.1.1.1, v3164), 00:15:19
    [200/0] via 10.1.63.254 (recursive via t1 tunnel 63.1.1.1), 00:15:19
    [200/0] via 10.1.79.254 (recursive via t2 tunnel 64.1.1.1), 00:15:19
    S 2261::61/128 [15/0] via to626 tunnel 10.0.0.11, 00:01:10, [1024/0]
    B 2061::/64 [200/0] via fd01:4::1 (recursive via ts62 tunnel 10.0.0.7), 00:11:14
     
    Replace the original IP address with tunnel x.x.x.x, so in order to avoid confusion, Although it is still easy to misunderstand because it is different from before, we will make relevant documentation later, in order to help everyone become familiar with and get used to this way of working.
     
    Thank you
    #2
    Kangming_FTNT
    Silver Member
    • Total Posts : 63
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/09/17 18:55:22
    • Status: online
    Re: [FortiOS 7.0] - Gateway IP in static routes for vpn tunnel interface 2021/10/13 10:40:54 (permalink)

    Thanks
    Kangming
    #3
    Jump to:
    © 2021 APG vNext Commercial Version 5.5