FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article discusses about a default route entry that gets installed into the routing table of a FortiGate unit when a dialup VPN interface is established.
Solution If a dialup VPN tunnel is configured on the FortiGate, the default settings will create a static default route entry into the routing table as in the below output.
# get router info routing-table details 0.0.0.0 Routing entry for 0.0.0.0/0 Known via "static", distance 15, metric 0 173.243.128.1, via FTNT-VPN
Routing entry for 0.0.0.0/0 Known via "static", distance 10, metric 0, best * 96.45.32.1, via wan1
96.45.32.1 is the default gateway of the wan interface and is the preferred route due to lower distance. Default value is 10.
173.243.128.1 is the WAN IP address of the remote peer connected to FTNT-VPN tunnel interface. Note that the distance is 15 (by default).
The default route for tunnel interface is installed due to the add-route (enabled by default) command.
# config vpn ipsec phase1-interface edit FTNT-VPN set add-route enable enabled by default next end
As several users connect to the dialup VPN interface, a default route for each remote peer will be installed into the routing table.
If the distance value for the default route is configured to a value higher than 15, this will cause traffic disruption in the network. In order to avoid this behavior, it is advised to disable add-route in the phase1-interface settings of the dialup VPN tunnel.
Note that the 'set add-route {disable | enable}' entry is only available under phase1-interface settings when type is set to dynamic (set type dynamic).
