Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lestopace
Staff
Staff

Created on ‎03-10-2021 10:53 PM

Article Id 190642

Technical Tip: How to Advertise IP Pool network into OSPF

Description
This article describes How to Advertise IP Pool network into OSPF.

Solution
Problem.

PC behind FortiGate 1.






FortiGate 1.
# get router info routing-table ospf
Routing table for VRF=0
O       10.26.20.13/32 [110/200] via 10.10.1.2, IPSec_Tunnel, 06:32:44

id=20085 trace_id=4216 func=print_pkt_detail line=5700 msg="vd-root:0 received a packet(proto=1, 10.247.2.52:1->10.26.20.13:2048) from port4. type=8, code=0, id=1, seq=9060."
id=20085 trace_id=4216 func=init_ip_session_common line=5871 msg="allocate a new session-016745ba"
id=20085 trace_id=4216 func=vf_ip_route_input_common line=2584 msg="find a route: flag=04000000 gw-10.10.1.2 via IPSec_Tunnel"
id=20085 trace_id=4216 func=fw_forward_handler line=796 msg="Allowed by Policy-26: SNAT"
id=20085 trace_id=4216 func=__ip_session_run_tuple line=3478 msg="SNAT 10.247.2.52->172.16.53.52:60417"
id=20085 trace_id=4216 func=ipd_post_route_handler line=490 msg="out IPSec_Tunnel vwl_zone_id 0, state2 0x0, quality 0.
FortiGate 2:
# id=20085 trace_id=47 func=print_pkt_detail line=5375 msg="vd-root received a packet(proto=1, 172.16.53.52:60417->10.26.20.13:2048) from IPSec_Tunnel. type=8, code=0, id=60417, seq=9060."
id=20085 trace_id=47 func=init_ip_session_common line=5534 msg="allocate a new session-001d1e6e"
id=20085 trace_id=47 func=ip_route_input_slow line=2242 msg="reverse path check fail, drop"
id=20085 trace_id=47 func=ip_session_handle_no_dst line=5609 msg="trace"        next
The machine behind FortiGate 1 was unable to reach destination because of  the msg=”reverse path check fail, drop”.
This is because FortiGate 2 does not know how to route back to the source IP.

Solution.
 
1) From FortiGate 1, configure a static route and set its desintation going to the IP Pool network then set the blackhole enable.

FortiGate 1.
# config router static
    edit 0
        set dst 172.16.52.0 255.255.252.0
        set blackhole enable
    next
end
2) From FortiGate 1, enable redistribute static under OSPF configuration.

FortiGate 1.
# config router ospf
    # config redistribute "static"
        set status enable
    end
end
Note.
Depending on the setup and application of the aforementioned, it is maybe necessary to add phase-2 selectors and update the destination and source objects of the firewall policies on both FortiGates.

Testing Scenario 1: Ping from PC behind FortiGate 1 to the Loopback interface IP behind FortiGate 2.

PC behind FortiGate 1.





FortiGate 2.
# get router info routing-table ospf
O E2    172.16.52.0/22 [110/10] via 10.10.1.1, IPSec_Tunnel, 00:04:46

# id=20085 trace_id=88 func=print_pkt_detail line=5375 msg="vd-root received a packet(proto=1, 172.16.53.52:60417->10.26.20.13:2048) from IPSec_Tunnel. type=8, code=0, id=60417, seq=9085."
id=20085 trace_id=88 func=resolve_ip_tuple_fast line=5450 msg="Find an existing session, id-001d53f6, original direction"
id=20085 trace_id=89 func=print_pkt_detail line=5375 msg="vd-root received a packet(proto=1, 10.26.20.13:60417->172.16.53.52:0) from local. type=0, code=0, id=60417, seq=9085."
id=20085 trace_id=89 func=resolve_ip_tuple_fast line=5450 msg="Find an existing session, id-001d53f6, reply direction"
id=20085 trace_id=89 func=ipsecdev_hard_start_xmit line=640 msg="enter IPsec interface-IPSec_Tunnel"
id=20085 trace_id=89 func=esp_output4 line=895 msg="IPsec encrypt/auth"
Note: Now that FortiGate 2 knows how to route back to the source IP, the problem was solved.
Testing Scenario 2: Ping from Loopback interface IP in FortiGate 2 to the host behind FortiGate 1.

FortiGate 2.
# execute ping-options source 10.26.20.13
# execute ping 172.16.53.52
PING 172.16.53.52 (172.16.53.52): 56 data bytes
64 bytes from 172.16.53.52: icmp_seq=0 ttl=127 time=1.7 ms
64 bytes from 172.16.53.52: icmp_seq=1 ttl=127 time=1.6 ms
64 bytes from 172.16.53.52: icmp_seq=2 ttl=127 time=1.7 ms
64 bytes from 172.16.53.52: icmp_seq=3 ttl=127 time=1.7 ms
64 bytes from 172.16.53.52: icmp_seq=4 ttl=127 time=1.7 ms

--- 172.16.53.52 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.6/1.6/1.7 ms
FortiGate 1.
# get router info routing-table  all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
C       10.10.1.0/30 is directly connected, IPSec_Tunnel
C       10.10.1.1/32 is directly connected, IPSec_Tunnel
O       10.26.20.13/32 [110/200] via 10.10.1.2, IPSec_Tunnel, 00:09:25
C       10.247.0.0/22 is directly connected, port4
S       172.16.52.0/22 [10/0] is a summary, Null

# id=20085 trace_id=4288 func=print_pkt_detail line=5700 msg="vd-root:0 received a packet(proto=1, 10.26.20.13:2560->172.16.53.52:2048) from IPSec_Tunnel. type=8, code=0, id=2560, seq=0."
id=20085 trace_id=4288 func=init_ip_session_common line=5871 msg="allocate a new session-0167a822"
id=20085 trace_id=4288 func=fw_pre_route_handler line=182 msg="VIP-10.247.2.52:2560, outdev-unknown"
id=20085 trace_id=4288 func=__ip_session_run_tuple line=3492 msg="DNAT 172.16.53.52:8->10.247.2.52:2560"
id=20085 trace_id=4288 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-10.247.2.52 via port4"
id=20085 trace_id=4288 func=fw_forward_handler line=796 msg="Allowed by Policy-27:"
id=20085 trace_id=4288 func=ipd_post_route_handler line=490 msg="out port4 vwl_zone_id 0, state2 0x0, quality 0.
"
id=20085 trace_id=4289 func=print_pkt_detail line=5700 msg="vd-root:0 received a packet(proto=1, 10.247.2.52:2560->10.26.20.13:0) from port4. type=0, code=0, id=2560, seq=0."
id=20085 trace_id=4289 func=resolve_ip_tuple_fast line=5781 msg="Find an existing session, id-0167a822, reply direction"
id=20085 trace_id=4289 func=vf_ip_route_input_common line=2584 msg="find a route: flag=04000000 gw-10.10.1.2 via IPSec_Tunnel"
id=20085 trace_id=4289 func=npu_handle_session44 line=1160 msg="Trying to offloading session from port4 to IPSec_Tunnel, skb.npu_flag=00000000 ses.state=00004200 ses.npu_state=0x03040000"
Note.
Even though a blackhole (null) route is in place,  FortiGate kernel does process DNAT before Routing so the packets destined to the 'blackhole subnet' was translated first to the IP address that belongs to a connected route at FortiGate 1, hence, it was never dropped.

Related document.

Labels:
3420
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.