Monday, June 23, 2008

VPN Manager Gotchas in Fortimanager

Be careful when using interface mode VPN setups created in Fortimanager.
Imagine the following setup:
-HQ Site has a number of networks (10.x.x.x, 172.16.x.x, 192.168.x.x)
-Remote site has a class C network (172.17.1.x)

When defining your protected subnets in VPN-Manager -> VPN List -> Gateways you should configure specific networks and not use the default network. If you use the network and let the Fortimanager handle the static route creation you can end up with a situation where you have two default routes configured, one pointing to your valid WAN router and one pointing to the VPN tunnel. This has the undesirable effect of making your firewall unreachable.
(Not that this has happened to me of course :)

No comments: