Blackhole Routing

OK, so you’ve created your ipsec vpn tunnels and added the corresponding static routes, but which path does the VPN traffic take if your tunnel is down ?

Right, it uses the next best route in the routing table and chances are this is your default route pointing to your internet router…

But luckily you did add a blackhole route for this traffic, preventing this:






So next time your VPN tunnel is down, traffic will be dropped by the Fortigate and not use your default route again.

Or you can use the CLI for this:

config router static
edit 0
set blackhole enable
set dst

Hits: 90