Fortinet black logo

Cookbook

Configuring static routes on HQ

Copy Link
Copy Doc ID a4a06ec3-12a7-11e9-b86b-00505692583a:103317
Download PDF

Configuring static routes on HQ

  1. To create the necessary routes on HQ, go to Network > Static Routes and select Create New.
  2. Enter the new subnet created in the "Planning the new addressing scheme" section for Branch’s LAN in the Destination field, and select the VPN tunnel created in the "Configuring the IPsec VPN on HQ" section as the Interface (in the example, this is 10.2.2.0/24 and VPN-to-Branch).

  3. Create an additional route with the same Destination as the previous route, but this time change the Administrative Distance to 200 and select Blackhole as the Interface. This is the best practice for route-based IPsec VPN tunnels, as it ensures traffic for the remote FortiGate's subnet is not sent using the default route in the event that the IPsec tunnel goes down.

Configuring static routes on HQ

  1. To create the necessary routes on HQ, go to Network > Static Routes and select Create New.
  2. Enter the new subnet created in the "Planning the new addressing scheme" section for Branch’s LAN in the Destination field, and select the VPN tunnel created in the "Configuring the IPsec VPN on HQ" section as the Interface (in the example, this is 10.2.2.0/24 and VPN-to-Branch).

  3. Create an additional route with the same Destination as the previous route, but this time change the Administrative Distance to 200 and select Blackhole as the Interface. This is the best practice for route-based IPsec VPN tunnels, as it ensures traffic for the remote FortiGate's subnet is not sent using the default route in the event that the IPsec tunnel goes down.