Re: [FortiOS 7.0] - Gateway IP in static routes for vpn tunnel interface
On the FOS7.0 platform, tunnel id is used for a new IPsec kernel implementation.
An IPsec tunnel has a tunnel id. Normally this is the remote gateway of the tunnel. For tunnels with the same remote gateway, the tunnel id will be randomly assigned and will be different from the remote gateway. The tunnel id is printed in "diagnose vpn tunnel list".
A route also has a tunnel id. The tunnel id in a route coincides with the gateway of the route. That means when a route directs traffic to an IPsec interface.
It should be noted that the next-hop of the route of the VIT IPsec VPN tunnel is only a tunnel-ID identifier, not the real route next-hop IP, which is different from our ordinary route next hop.
Therefore, the VPN route we see in the latest V7.0.1 is like this:
S 10.61.0.0/16 [10/0] via t1 tunnel 22.214.171.124, [51/0]
B 126.96.36.199/32 [200/0] via 10.1.14.1 (recursive via 188.8.131.52, v3164), 00:15:19
[200/0] via 10.1.63.254 (recursive via t1 tunnel 184.108.40.206), 00:15:19
[200/0] via 10.1.79.254 (recursive via t2 tunnel 220.127.116.11), 00:15:19
S 2261::61/128 [15/0] via to626 tunnel 10.0.0.11, 00:01:10, [1024/0]
B 2061::/64 [200/0] via fd01:4::1 (recursive via ts62 tunnel 10.0.0.7), 00:11:14
Replace the original IP address with tunnel x.x.x.x, so in order to avoid confusion, Although it is still easy to misunderstand because it is different from before, we will make relevant documentation later, in order to help everyone become familiar with and get used to this way of working.