Skip to main content
Fullmoon
Fullmoon
New Member
May 11, 2018
Question

Fortigate to Fortigate DialUp IPSec VPN

  • May 11, 2018
  • 1 reply
  • 6022 views

anyone could shed me the reasons why I encountered this kind of unexpected behavior during ipsec configurations.

 

Topology

Workstation---L2/L3---Fortigate (Static)----Internet---- (Private)Fortigate---L2/L3---Workstation

 

Concern 1. Both Tunnels are UP, but unable to ping both ends. Given the fact that routing and firewall polices are properly defined

Solution: Assigned network address on both Quick Mode Selector.

               But why there some instances without defining network addresses on both QMS both ends able to ping with each other?

 

Concern 2. Both Tunnels are UP, but unable to ping both ends. Given the fact that routing and firewall polices are properly defined

Solution: HQ Firewall(Public), enable NAT in Firewall Policy (VPN Virtual Interface---LAN), pings starts to work for both ends

 

 

 Regards

 

    1 reply

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    May 11, 2018

    hi,

     

    for 2-

    if traffic starts when you enable NAT then the route to the remote subnet is missing, or the QM don't match the remote subnet. Might be the address or just the network mask.

     

    BTW, dial-up will work but is unnecessary here. If you have more than one dial-up client you will have to introduce peer IDs to keep them separate. Otherwise, only one client will be able to use the gateway.

    Better configure a standard site-to-site VPN, if needed with a 'dynamic address' if the client is behind a DSL modem or such.

    (All of this assuming you use route based IPsec VPN, of course.)

    Fullmoon
    FullmoonAuthor
    New Member
    August 11, 2018

    thanks for the hint ede. will check on this

    Terms & ConditionsAccessibility statement