Skip to main content
qqh452821000
qqh452821000
New Member
March 28, 2019
Solved

ipsec-vpn strange problem

  • March 28, 2019
  • 1 reply
  • 7097 views

Hi everyone,

 

I use fortigate 300D build the ipsec-vpn tunnel between Site A and Site B

Site A has two subnets, one is 10.80.0.0/24 the other one is 10.80.102.0/24

Site B has one subnet, 10.0.0.0/24

 

host 10.80.0.100 can ping host 10.0.0.98

 

here is the problem 

 At the beginning, 10.80.102.32 can't ping 10.0.0.98 ,but 10.0.0.98 can ping 10.80.102.32

When I use host 10.0.0.98 ping host 10.80.102.32  first,then host 10.80.102.32 can ping host 10.0.0.98

 

After I use  "Ctrl + C"in cmd to stop the ping on host 10.0.0.98, then 10.80.102.32 can't ping 10.0.0.98 again..

 

Can someone please assist in directing me in the correct direction? I don't know where the problem is..

 

Thanks

 

 

Best answer by sw2090

this looks like if it can find a route but doesn't match any policy ("Denied by forward policy check (policy 0)" - means no other policy matches then policy 0 (i.e. deny all from all via any interface) matches).

1 reply

ede_pfau
SuperUser
ede_pfau
SuperUser
March 28, 2019

Please check the policies, esp. if they allow both subnets. What you see is that sessions can only be opened from one side.

The routing is OK obviously.

 

If the problem persists please post the policies and address object definitions.

Ricardo_Tomas
Ricardo_Tomas
New Member
March 28, 2019

I bet in rules, but can use the flow in both fortigates command line to get more info:

Start with a clean up (just in case)

  diagnose debug disable

  diagnose debug reset

then put the flow comands

  diag debug flow filter addr <source ip>

  diag debug flow show console enable

  diag debug flow trace start 500

  diag debug enable

 

Test the ping and see what the FG show

Clean the flow again

  diagnose debug disable

  diagnose debug reset

 

After this, you will have messages with the problem.

 

 

rwpatterson
rwpatterson
New Member
March 28, 2019

Make sure the phase 2 selectors match on both ends. If one is a subset of the other, you may see this happen.

 

For example: If site B is set for 10.1.1.0/24 and site A is 10.1.0.0./16, you will be able to open from A to B since A covers all of B, but not so the other way around. (If I can recall)

Terms & ConditionsAccessibility statement