FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jrosado_FTNT
Staff
Staff
Article Id 197355
Description
This article addresses the scenario where dialup IPsec VPN does come up but communication generated from the internal LAN cannot reach the remote host.

Static routing might be correctly configured to send VPN traffic over the designated VPN sub-interface but, if there are policy routes sending all traffic directly to the WAN link, those static routes will be overridden and traffic will never reach its destination.

Solution
On the output of a debug flow it is possible to identify if a policy route matches this traffic and is being misrouted.

id=20085 trace_id=110 func=iprope_dnat_check line=4650 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=110 func=vf_ip4_route_input line=1586 msg="Match policy routing: to 187.188.145.129 via ifindex-26"
id=20085 trace_id=110 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-187.188.145.129 via wan1"
id=20085 trace_id=110 func=iprope_fwd_check line=630 msg="in-[lan], out-[wan1], skb_flags-00800000, vid-0"

The way to send this traffic into the VPN without changing the current configuration is by configuring a policy route at the top of the list specifying that the traffic originated from the LAN and going to the VPN range should be sent to the VPN sub-interface and specify on such policy route to "Stop Policy Routing".  The session flow would then be checked against the routing table and it would find the correct path into the VPN.

Contributors