Define Auto Routing policies for IKE negotiation and IPSec communication packets
For IKE negotiation packets
Packets of IKE negotiation are generated by FortiWAN itself (source and destination IP address of the packets is respectively the Local IP and Remote IP of Phase 1 configuration), therefor the Source and Destination of the Auto Routing filter for IKE negotiation must be configured with the Local IP and Remote IP (the IP address of WAN port of two FortiWAN units). Remember that the IPSec SAs are established on the WAN port of both the two FortiWANs.
Go to Service > Auto Routing
You need add a new policy to Policies of Auto Routing like:.
| Auto Routing Policy | Local endpoint (Site A) | Remote endpoint (Site B) |
| Label | IPSec_WAN1 (Any name you desire) | IPSec_WAN1 (Any name you desire) |
| T | Enable Threshold or not | Enable Threshold or not |
| Algorithm | Fixed | Fixed |
| Parameter | Only 1 is checked | Only 1 is checked |
Then you add a filter to IPv4 Filters like:
| Auto Routing Filter | Local endpoint (Site A) | Remote endpoint (Site B) |
| When | All-Time | All-Time |
| Input Port | Any Port | Any Port |
| Source | 10.10.10.10 or Localhost | 20.20.20.20 or Localhost |
| Destination | 20.20.20.20 | 10.10.10.10 |
| Service | Any or IKE(500) | Any or IKE(500) |
| Routing Policy | IPSec_WAN1 | IPSec_WAN1 |
| Fail-Over Policy | NO-ACTION | NO-ACTION |
Note that packets of IKE negotiations are generated from FortiWAN’s localhost, the Source field of an AR filter must be configured to “Localhost” to match the negotiation traffic and direct it to correct WAN link.
For IPSec communication packets
Routing of packets that are going to be transferred through IPsec VPN between the private networks (LANs) behind the two sites (local and remote) is also controlled by FortiWAN’s Auto Routing. It is necessary to route packets to the WAN link that the IPSec SA is established on, so that the packets can be processed (evaluated by Quick Mode selector and ESP encapsulated) by IPSec on the WAN port.
With the existing policy “For IPsec”, you only need to add the filters like:
| Auto Routing Filter | Local endpoint (Site A) | Remote endpoint (Site B) | |
| When | All-Time | All-Time | |
| Input Port | Any Port (or the LAN port, PortX) | Any Port (or the LAN port, PortX) | |
| Source | 192.168.10.0/255.255.255.0 | 192.168.100.0/255.255.255.0 | |
| Auto Routing Filter | Local endpoint (Site A) | Remote endpoint (Site B) | |
| Destination | 192.168.100.0/255.255.255.0 | 192.168.10.0/255.255.255.0 | |
| Service | Any | Any | |
| Routing Policy | IPSec_WAN1 | IPSec_WAN1 | |
| Fail-Over Policy | NO-ACTION | NO-ACTION | |
IPSec Phase 2 Quick Mode selector controls the IPSec availability to specified users (the source, destination and service of packets); before that, it requires the Auto Routing filter to direct the packets to the correct WAN link (Routing Policy). Make sure the Auto Routing filter and Phase 2 Quick Mode selector are equal on Source, Destination and Service. For the details of Auto Routing, see “Auto Routing”. Although Auto Routing provides failover policy to redirect packets to another WAN link when a failure occurs, it is unable to achieve the fail-over for IPSec Tunnel mode since the same Quick Mode selector cannot be applied to different IPSec SAs.
Define NAT policies for IKE negotiation and IPSec communication packets
NAT default rules translate the source addresses of packets come from the private subnet (LAN) behind FortiWAN after Auto Routing determines a WAN link for them. In IPSec VPN Tunnel mode, Packets of communications usually come from LAN subnet of FortiWAN and are evaluated with NAT rule before Phase 2 Quick Mode selector. If the source address of a IPSec packet is translated to another by NAT, the packet fails in matching the Quick Mode selector and the IPSec communication goes to failure.
For IKE negotiation packets
IKE negotiation packets are generated on FortiWAN’s localhost. The source of a IKE packet is the Local IP (IP address on the WAN port) of the Phase 1, which will not be translated by NAT. Therefore, a NAT policy is not required for IKE negotiations.