Can only Access One Subnet on Established VPN

hi, and welcome to the forums. Seems you' ve been working a lot on this issue. IMHO it needn' t be so complicated at all. First, please re-create the VPNs in Interface Mode. This can only be done when creating a phase1 so you will have to reenter the parameters. Shouldn' t take you longer than 2 minutes though. In Interface Mode, VPN tunnel ends are created as virtual interfaces. As such, you can deal with them like with any other interface: set a route on each side for the remote network, pointing to the VPN interface. Create policies to/from the VPN tunnel from/to ' internal' . What you gain with this is more control and a cleaner setup. As you already have a lot of experience with regular interfaces you can deal with VPNs the same way. Also, NATting is plain simple in this scenario (if you need NAT at all). Do you have the FortiOS Handbook at your side? Invaluable, and full of working example setups. When you' re done, and you still have troubles, come back and post the config.

Thank you, though I am still plagued with issues, including being unable to bring up the tunnel at all. Also, please don' t think I am in any way intelligent when it comes to this particular configuration. My experience with FortiGate began about 48 hours ago and our first date isn' t going so well. I do have the handbook, and was able to find some other helpful guides. Here is what I have (and if there' s a way to post a config file, I am all eyes). I think I' ve either deleted/recreated or checked this configuration 20 or 30 or a billion times now. Since I am no longer able to see anything but the hellfire of a thousand nuclear bombs engulfing my FortiGate appliances as I roll around on the ground hysterically gleeful at their fiery destruction, I am thinking maybe a second pair of eyes is needed. Thanks again. (Also, I did nothing in regards to the actual VPN interface, as in set IPs from the System -> Interface -> Tunnel _Interface. I touched nothing there) 110c SETUP: Name: Tunnel-to-80c Remote Gateway: 172.16.200.200 Local Interface: Public WAN interface Mode: Main Pre-shared key Enable IPsec Interface Mode (yes, IKE Version is 1, main interface IP The 110c IPSEC phase 2 is: Set to Tunnel-to-80c phase 1 object (Standard Advaced options: enable replay detection, PFS) Policy: First Policy: Source: internal_interface Source Addr: 10.10.10.0/24 address object (local LAN) Destination Interface: tunnel_interface Destination Addr: 10.100.100.0/24 address object (remote LAN) Schedule: whenever I want Service: whatever I want Action: ACCEPT NAT unchecked Second Policy: Source: tunnel_interface Source Addr: 10.100.100.0/24 address object (remote LAN) Destination Interface: internal_interface Destination Addr: 10.10.10.0/24 address object (local LAN) Schedule: whenever I want Service: whatever I want Action: ACCEPT NAT unchecked Route: Static Destination: 10.100.100.0/24 (remote LAN) Device: tunnel_interface Gateway 0.0.0.0 Priority: 0 Distance: 10 *********************** 80c SETUP: Name: Tunnel-to-110c Remote Gateway: 192.168.100.100 Local Interface: Public WAN interface Mode: Main Pre-shared key Enable IPsec Interface Mode (yes, IKE Version is 1, main interface IP The 80c IPSEC phase 2 is: Set to Tunnel-to-110c phase 1 object (Standard Advaced options: enable replay detection, PFS) Policy: First Policy: Source: internal_interface Source Addr: 10.100.100.0/24 address object (local LAN) Destination Interface: tunnel_interface Destination Addr: 10.10.10.0/24 address object (remote LAN) Schedule: whenever I want Service: whatever I want Action: ACCEPT NAT unchecked Second Policy: Source: tunnel_interface Source Addr: 10.10.10.0/24 address object (remote LAN) Destination Interface: internal_interface Destination Addr: 10.100.100.0/24 address object (local LAN) Schedule: whenever I want Service: whatever I want Action: ACCEPT NAT unchecked Route: Static Destination: 10.10.10.0/24 (remote LAN) Device: tunnel_interface Gateway 0.0.0.0 Priority: 0 Distance: 5

lo and behold! Maybe it' s time for you to take a step back and relax. It' s not magic, it' s about carefully observing details and recipes. And you' re 90% there from what I see. First thing, get the tunnel up. One CAVEAT: while testing, make sure you do not change settings and retry without tearing the tunnel down! You have to make sure that SAs from previous attempts are deleted. Here we come to the next good advice: get accustomed to the CLI. You can either use the Console widget on Dashboard (detached mode is easier), or you can start an ssh session if permitted on the interface. Some features are settable in CLI only; posting (a part of) the config is quite easy and comprehensive by cut-and-paste from the console screen. OK, the command to delete ALL tunnels is ' diag vpn tunnel clear' . This will kill all IPsec tunnels so be aware of this. After that, change the settings and retry to connect (via ' ping IP-on-other-side' in a Command window - Windows: Start-Run-cmd.exe). Alternatively, you can click ' Bring tunnel up' in the VPN Monitor page of the GUI. To get the tunnel successfully up you have to make the parameters in phase1 and phase2 identical, esp. the PSK. You can enter any simple PSK for testing purposes. IPsec VPN is sometimes hard to tackle: 99% identical will not work, 100% will do immediately. After getting the tunnel up you can test if you can reach remote IPs via ping. Do not try to ping FROM the local Fortigate console, or to the remote Fortigate! Try client to client connections only. For the VPN parameters, you can leave out PFS, keylife at first; use AES128/SHA1 for an efficient encryption. That is, if you don' t have preferences in this. The rest of your config looks 100% OK - phases, policies, static route. I' d guess once the units connect you' ll get access to the remote network immediately. BTW, I wondered how you come to use a private, non-routable IP address for the WAN interface - for lab setup only? And then, as both WAN addresses are in distinct subnets, you need a router inbetween, right? Anyway, as long as you can ping the remote WAN address from the Console (in both directions) you have set up your ' WAN' correctly. And now, before getting down to work, take a deep breath (a window or a stroll in the park comes in handy) and relax. It' s a good as done now.

Thank you for all your help and encouragement. So I kept trying to get the tunnel up, but it just never worked. I called FG tech support and they couldn' t find anything wrong with the setup, but when they upgraded the firmware in an attempt to troubleshoot possible issues, it resulted in a read block error on the device, a six hour call and an RMA. The new unit arrives in hours. We haven' t resolved the VPN issue yet :) So anyway, I was working on the original FG 110C and discovered I can' t run any commands in the CLI. This is pretty much what I get for every command: FG110CGGCHQ # execute ping 192.168.1.168 5292: Unknown action 0 Command fail. Return code -1 Or this FG110CGGCHQ # show firewall policy Command fail. Return code 5 I' d reboot the appliance, but it' s remote and a production appliance. I do think this might be associated with the VPN issue. I' ll post again once I get our backup 110C running later today. Again, thank you!

This looks like you have VDOMs activated, and not entered into one. config vdom edit root # or whatever ... And your admin account should be based on a ' prof-admin' or ' super-admin' profile.

Thanks for that. I do apologize, as I have only been working with FortiGate products for about a week and the learning curve for the CLI, while not steep, does take some time. Anyway, back to the problem. In my latest route-based VPN attempt, I am now getting a flapping tunnel that never actually completes. diag debug enable produces (this in about 3 seconds): ike 0:NSA_GGC_Tunnel: carrier up ike 0:NSA_GGC_Tunnel: carrier down ike 0:NSA_GGC_Tunnel: carrier up ike 0:NSA_GGC_Tunnel: carrier down ike 0:NSA_GGC_Tunnel: carrier up ike 0:NSA_GGC_Tunnel: carrier down ike 0:NSA_GGC_Tunnel: carrier up ike 0:NSA_GGC_Tunnel: carrier down Here' s the full configuration: 110C PHASE1: config vpn ipsec phase1-interface edit " GGC_NSA_Tunnel" set type static set interface " Wan1" set ip-version 4 set local-gw 0.0.0.0 set nattraversal enable set dhgrp 5 set keylife 86400 set authmethod psk set peertype any set xauthtype disable set mode main set mode-cfg enable set proposal 3des-sha1 aes128-sha1 set localid ' ' set localid-type auto set negotiate-timeout 30 set dpd enable set fcc-enforcement disable set remote-gw 65.126.111.218 set monitor-phase1 ' ' set assign-ip disable set mode-cfg-ip-version 4 set add-route enable set dns-mode auto set unity-support disable set add-gw-route disable set psksecret ENC cnmsRqNp+G5wXyjAVwuJRIB set keepalive 10 set distance 1 set priority 0 set auto-negotiate disable set dpd-retrycount 3 set dpd-retryinterval 5 next end PHASE2: config vpn ipsec phase2-interface edit " GGCtoNSA_P2" set auto-negotiate enable set encapsulation tunnel-mode set keepalive disable set keylife-type seconds set pfs enable set phase1name " GGC_NSA_Tunnel" set proposal 3des-sha1 aes128-sha1 set protocol 0 set replay enable set src-addr-type subnet set src-port 0 set dhgrp 5 set keylifeseconds 28800 set src-subnet 0.0.0.0 0.0.0.0 next end OUTBOUND POLICY: config firewall policy edit 6 set srcintf " port1" set dstintf " GGC_NSA_Tunnel" set srcaddr " HQ LAN" set dstaddr " NSA LAN Address" set rtp-nat disable set action accept set status enable set dynamic-profile disable unset dynamic-profile-access set schedule " always" set schedule-timeout disable set service " ANY" set utm-status disable set logtraffic disable set logtraffic-app enable set session-ttl 0 set wccp disable set fsso disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set match-vip disable set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments ' ' set endpoint-check disable set label ' ' set global-label ' ' set replacemsg-override-group ' ' set identity-based disable set traffic-shaper ' ' set traffic-shaper-reverse ' ' set per-ip-shaper ' ' set nat disable set dynamic-profile-fallthrough disable next end INBOUND POLICY: config firewall policy edit 7 set srcintf " GGC_NSA_Tunnel" set dstintf " port1" set srcaddr " NSA LAN Address" set dstaddr " Grace HQ LAN" set rtp-nat disable set action accept set status enable set dynamic-profile disable unset dynamic-profile-access set schedule " always" set schedule-timeout disable set service " ANY" set utm-status disable set logtraffic disable set logtraffic-app enable set session-ttl 0 set wccp disable set fsso disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set match-vip disable set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments ' ' set endpoint-check disable set label ' ' set global-label ' ' set replacemsg-override-group ' ' set identity-based disable set traffic-shaper ' ' set traffic-shaper-reverse ' ' set per-ip-shaper ' ' set nat disable set dynamic-profile-fallthrough disable next end ROUTE: config router static edit 5 set blackhole disable set comment ' ' set device " GGC_NSA_Tunnel" set distance 10 set dst 192.168.0.0 255.255.255.0 set dynamic-gateway disable set priority 0 set weight 0 next end ***************************** 80C PHASE1: config vpn ipsec phase1-interface edit " NSA_GGC_Tunnel" set type static set interface " wan1" set ip-version 4 set ike-version 1 set local-gw 0.0.0.0 set nattraversal enable set dhgrp 5 set keylife 86400 set authmethod psk set peertype any set xauthtype disable set mode main set mode-cfg disable set proposal 3des-sha1 aes128-sha1 set localid ' ' set localid-type auto set negotiate-timeout 30 set dpd enable set remote-gw 75.149.216.61 set monitor-phase1 ' ' set add-gw-route disable set psksecret <it' s a secret> set keepalive 10 set auto-negotiate disable set dpd-retrycount 3 set dpd-retryinterval 5 next end PHASE2: config vpn ipsec phase2-interface edit " NSAtoGGC_P2" set auto-negotiate enable set dst-addr-type subnet set dst-port 0 set encapsulation tunnel-mode set keepalive disable set keylife-type seconds set pfs enable set phase1name " NSA_GGC_Tunnel" set proposal 3des-sha1 aes128-sha1 set protocol 0 set replay enable set src-addr-type subnet set src-port 0 set dhgrp 2 set dst-subnet 0.0.0.0 0.0.0.0 set keylifeseconds 28800 set src-subnet 0.0.0.0 0.0.0.0 next end OUTBOUND POLICY: config firewall policy edit 7 set srcintf " internal1" set dstintf " NSA_GGC_Tunnel" set srcaddr " NSA LAN Address" set dstaddr " Grace Global LAN Address" set rtp-nat disable set action accept set status enable set dynamic-profile disable unset dynamic-profile-access set schedule-timeout disable set utm-status disable set logtraffic-app disable set session-ttl 0 set wccp disable set fsso disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set match-vip disable set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments ' ' set endpoint-check disable set label ' ' set replacemsg-override-group ' ' set identity-based disable set schedule " always" set service " ANY" set logtraffic disable set traffic-shaper ' ' set per-ip-shaper ' ' set nat disable set dynamic-profile-fallthrough disable next end INBOUND POLICY: config firewall policy edit 8 set srcintf " NSA_GGC_Tunnel" set dstintf " internal1" set srcaddr " Grace Global LAN Address" set dstaddr " NSA LAN Address" set rtp-nat disable set action accept set status enable set dynamic-profile disable unset dynamic-profile-access set schedule-timeout disable set utm-status disable set logtraffic-app disable set session-ttl 0 set wccp disable set fsso disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set match-vip disable set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments ' ' set endpoint-check disable set label ' ' set replacemsg-override-group ' ' set identity-based disable set schedule " always" set service " ANY" set logtraffic disable set traffic-shaper ' ' set per-ip-shaper ' ' set nat disable set dynamic-profile-fallthrough disable next end ROUTE: config router static edit 3 set blackhole disable set comment ' ' set device " NSA_GGC_Tunnel" set distance 10 set dst 10.249.0.0 255.255.240.0 set dynamic-gateway disable set priority 0 set weight 0 next end

On the 110C, disable ' set mode-cfg' . Unnecessary here, and not set on the 80C.

Ede, that was the solution to the issue! Tunnel came right up. Thank you so much for your help, you have no idea how much I appreciate your efforts.

Glad I could help. Keep a six-pack in the fridge for some day.