Skip to main content
pieciaq
pieciaq
Explorer II
December 21, 2021
Solved

IPSec tunnel up (phase 1 and 2) but no Outgoing Data

  • December 21, 2021
  • 4 replies
  • 20956 views

Hi all,

got configured IPSec tunnel it is up (phase 1 and 2) but no Outgoing Data.

Policy from Zone (with vlan10 in it) to VPN tunnel configured, Static Route (with subnet I try to reach, and VPN interface configured) also.

When Ping from computer with vlan10 I see deny and hit policy 0 in FAZ.

 

What is the best practice to check why traffic is not hitting this tunnel or policy?

P.S I have access only to my side of tunnel.

P.S II. Is is possible that when my part of the tunnel is configured ok, policy and route also but on the other side of the tunnel something is missing tunnel will show up on 2 phases but will send no data to the tunnel?

What's bother me is that there is O B in Outgoing data.

FGT OS. 6.4.6

Best answer by pieciaq

@Toshi_Esumi thanks for all your efort. Analyzing debug flow, starting to check why it is droping on policy and find this post: 

https://community.fortinet.com/t5/Fortinet-Forum/msg-quot-iprope-in-check-check-failed-on-policy-0-drop-quot/m-p/1661?m=142569

 

 

I had created a virtual IP that would meet a new connectivity and it was the cause of my problems, even if not linked to any policy

4 replies

amouawad
Staff
amouawad
Staff
December 22, 2021

If it's hitting policy 0 (deny all) then the problem is on the FGT side not the other side.

 

Do you have a route in the FortiGate for the subnet you're trying to reach to go out through the VPN interface?

pieciaq
pieciaqAuthor
Explorer II
December 22, 2021

Yes Sir, got Static Route with VPN interface na subnet I want to reach.

Make some debug flow and notice that address with subnet I try to ping got route via root, I think it should be VPN tunnel name there, what's can causing this problem?

 

id=20085 trace_id=1 func=vf_ip_route_input_common line=2621 msg="find a route: flag=80000000 gw-10.55.10.51 via root"

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
December 22, 2021

What was in the next line after "find a route:" in the flow debug? Was it the "Denied by forward policy check (policy 0)"?

 

Toshi

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
December 22, 2021

And, I have some doubt about the status of the tunnel. Can you share the output of "get vpn ipsec tun name <phase1_name>" after modifying/masking some sensitive info?

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
December 22, 2021

Hey pieciaq,

to clarify - you have a static route configured via VPN tunnel?

-> the gateway you included above, 10.55.10.51, is that the correct gateway reachable through the tunnel?

You also have a policy from a zone (of which your vlan10 interface is a member) to the tunnel?

-> have you checked the policy details for the following:

1. it allows ICMP

2. the source/destination addresses match your traffic

 

You can use the 'Policy Lookup' tool in the policy table to determine if you have a matching policy in place (to verify that your ping matches into the configured zone->IPSec policy):

Debbie_FTNT_0-1640164299645.png

 

Hope this helps :)
Cheers!

pieciaq
pieciaqAuthor
Explorer II
December 22, 2021

Thanks a lot for your help, 

 

yes I check Policy Lookup, when I choose source,(computer IP from I Ping), destination target IP (computer IP behind tunnel), Protocol specify and protocol number 1 (equivalent of ICMP) it show me route with my tunnel interface, so think here is ok.

So if tunnel is up (all phases), show good route, it can be only problem with policy?

Terms & ConditionsAccessibility statement