Fortigate static routes and policies dont't work with VPN

Forum|Forum|3 years ago
November 4, 2022
2 replies
3097 views

Hi,

I have static routes and some policies to a IP range that don't work properly in FortiGate #

Yellow works correctly but the other one doesn't.

FortiGate

akristof

Staff

Hello,

Simple debug flow should give you more information what is happening and why the traffic is not working.

https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow

inferiAuthor

New Member

Doesnt work :(

Toshi_Esumi

SuperUser

First, use the destination IP 192.168.1.12 for the filter then don't specify protocol #.
Then you might need to disable ASIC offloading with "set auto-asic-offload diable" on the policy ID 4 and 5. Don't forget to re-enable after your test. It would affect its performance.

Toshi

Toshi_Esumi

SuperUser

The working one from 192.168.140.253 to 192.168.11.106 is, at least, not going to FJBE-FJM tunnel as the debug result is showing.

While non-working one, which is sourced from 172.31.254.2 to 192.168.1.12 showing what I would expect when a packet is going into a tunnel.

Even if you don't know how to read the sequence, at least you can read below:

"enter IPsec interface-FJBE-FJM"

Are those source subnets included in the phase2 network selectors? To run a ping test from the FGT itself, you likely need to set the source with "exe ping-option source" to match the selectors.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded