Fortinet black logo

Administration Guide

Dynamic IPsec route control

Dynamic IPsec route control

You can add a route to a peer destination selector by using the add-route option, which is available for all dynamic IPsec phases 1 and 2, for both policy-based and route-based IPsec VPNs.

The add-route option adds a route to the FortiGate routing information base when the dynamic tunnel is negotiated. You can use the distance and priority options to set the distance and priority of this route. If this results in a route with the lowest distance, it is added to the FortiGate forwarding information base.

You can also enable add-route in any policy-based or route-based phase 2 configuration that is associated with a dynamic (dialup) phase 1. In phase 2, add-route can be enabled, disabled, or set to use the same route as phase 1.

The add-route option is enabled by default.

To configure add-route in phase 1:
config vpn ipsec
    edit <name>
        set type dynamic
        set add-route {enable | disable}
    next
end
To configure add-route in phase 2:
config vpn ipsec {phase2 | phase2-interface}
    edit <name>
        set add-route {phase1 | enable | disable}
    next
end

Blocking IPsec SA negotiation

For interface-based IPsec, IPsec SA negotiation blocking can only be removed if the peer offers a wildcard selector. If a wildcard selector is offered, then the wildcard route will be added to the routing table with the distance/priority value configured in phase 1. If that is the route with the lowest distance, it will be installed into the forwarding information base.

In this scenario, it is important to ensure that the distance value configured for phase 1 is set appropriately.

Dynamic IPsec route control

You can add a route to a peer destination selector by using the add-route option, which is available for all dynamic IPsec phases 1 and 2, for both policy-based and route-based IPsec VPNs.

The add-route option adds a route to the FortiGate routing information base when the dynamic tunnel is negotiated. You can use the distance and priority options to set the distance and priority of this route. If this results in a route with the lowest distance, it is added to the FortiGate forwarding information base.

You can also enable add-route in any policy-based or route-based phase 2 configuration that is associated with a dynamic (dialup) phase 1. In phase 2, add-route can be enabled, disabled, or set to use the same route as phase 1.

The add-route option is enabled by default.

To configure add-route in phase 1:
config vpn ipsec
    edit <name>
        set type dynamic
        set add-route {enable | disable}
    next
end
To configure add-route in phase 2:
config vpn ipsec {phase2 | phase2-interface}
    edit <name>
        set add-route {phase1 | enable | disable}
    next
end

Blocking IPsec SA negotiation

For interface-based IPsec, IPsec SA negotiation blocking can only be removed if the peer offers a wildcard selector. If a wildcard selector is offered, then the wildcard route will be added to the routing table with the distance/priority value configured in phase 1. If that is the route with the lowest distance, it will be installed into the forwarding information base.

In this scenario, it is important to ensure that the distance value configured for phase 1 is set appropriately.