80C(v5.2.6) to 200B(v5.0.12) IPsec VPN is up, but no traffic

Forum|Forum|10 years ago
February 16, 2016
1 reply
8180 views

Ive re-done this thing 3 times now and still no go! :)

At the office, 80C(v5.2.6). At the data center 200B(v5.0.12). I have the VPN setup, the policies setup and the routing setup. The VPN monitor is showing as up at both ends. I can also up/down the VPN from both ends. Ive checked the cli debug log for the VPN and seems to be no errors at all. However, the policies remain with 0 packets and im not seeing anything in the policy logs (set to debug). I try to ping/etc anything at the other end of the VPN (from both ends) and it just goes no where. traceroute shows it going nowhere as well.

Can anyone shed some light? Is it compatibility issues between 5.2 and 5.0 or something?

Here is a link to some screenshots showing the setup of both the 80C and the 200B. In order top down: 80C setup, 80C policy, 200B setup, 200B policy. Im not showing the routing here.. as its just set and forget right? :)

[link]http://imgur.com/a/1lXWd[/link]

Help! :) thanks.

neonbit

New Member

Have you performed a [link=http://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD30038&languageId=]diag debug flow filter [/link]on the traffic? Ifso are you provide the output?

I have a feeling that there may be an issue with your Phase2. I can see that you've blurred out one of the IP addresses. Just to confirm, is this the public IP address? This should be the internal subnet of that site.

Also could you please confirm that your routes are configured correctly?

One side should have this:

Network: 192.168.1.0/24

Gateway: Office-VPN

The other should have this:

Network: (local subnet that is blurred out)

Gateway: DC-VPN

When the VPN is up but there is no traffic it's usually one of two things, the routing is wrong or the policies/QMS are wrong.

greminnAuthor

New Member

neonbit wrote:
Have you performed a [link=http://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=FD30038&languageId=]diag debug flow filter [/link]on the traffic? Ifso are you provide the output?

Not as yet - i will get that ASAP.

neonbit wrote:
I have a feeling that there may be an issue with your Phase2. I can see that you've blurred out one of the IP addresses. Just to confirm, is this the public IP address? This should be the internal subnet of that site.

In terms of the Phase2 with the possible issue.. is this the 80C (top screenshots) or the 200B (lower screenshots)? If this is the 200B (data center), the i have source address = xxx.xxx.127.0/24 (our data center public IP range) and destination address = 192.168.1.0/24 (internal office network). And this is reversed on the 80C (office).

neonbit wrote:
Also could you please confirm that your routes are configured correctly?

One side should have this:

Network: 192.168.1.0/24
Gateway: Office-VPN

Yes - at the 200B (data center) end this is correct.

neonbit wrote:
The other should have this:

Network: (local subnet that is blurred out)
Gateway: DC-VPN

Yes - at the 80C (Office) end this is correct.

PS: thanks for the reply!

greminnAuthor

New Member

OK, further to this - i have enabled the debug log from a workstation on the office side (192.168.1.10) to a server at the DC end (xxx.xxx.127.38). The main message is "Denied by forward policy check (policy 0)", so i understand that in theory there is no policy capturing the packets, so its hitting the default deny all?

Full log output: http://pastebin.com/nZnuy7Xv

I had thought i had the policies correct tho..

Simon

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded