ipsec vpn tunnel up but no communication

Forum|Forum|19 years ago
May 14, 2007
10 replies
7112 views

hi all, I have realized a vpn tunnel as explained in the Gateway to Gateway IPSEC VPN Example (http://kc.forticare.com/tmp/2007-5-14_9-49_525_700_01-28006-0119-20041022Gateway-to-gateway_IPSec_VPN_Example_Technical_Note.pdf) the tunnel is up but I cannot connect any server at the other side of the tunnel. I' m using 2 fortigate device : a 50 A and a 60 exatly configures as explained in the pdf, (route based) but I have no traffic. the only differences are the ip addresses : fortigate 50 - firenze ip address internal 192.168.2.3 255.255.0.0 ip address external 87.15.2.124 fortigate 60 - milano ip address internal 192.168.1.3 255.255.0.0 ip address external 87.15.2.124 please can someone give me some ideas ? ciao andrea

abelio

SuperUser

Hello, that forticare document remains outdated with lack of information for route-based vpn There' re several threads about this; you could check: http://support.fortinet.com/forum/tm.asp?m=26448&appid=&p=&mpage=1&key=route%2Cbased&language=single&tmode=&smode=&s=#26456 If you followed step-by-step that pdf, is highly possible that static routes are missing in your config hope it helps

ounass

New Member

You have a problem with your network. You have the same subnet on each network. You need to make a ant operation to solve the problem.

rwpatterson

New Member

Are those inside networks truly class B? Also why are the external IP adresses the same? Can' t happen. As ounass stated, you need to NAT one of the sides so that routing will take place because both sides have the same internal network. If there aren' t too many nodes, you really should change the subnet masks to class C (24 bit) networks. This will then make seach side different, and evrything should route again.

A

Anonymous_UserAuthor

Contributor

I have the same problem. I can manually bring up the VPN tunnels, but no traffic seems to go through. I am using route based policies, one end is 200A the other is a 60AM wifi. The 200A is set up to utilize two seperate WAN connections and the 60AM is using a single WAN connection. I am trying to set up so that there is a semi-redundant connection so that if either of the WAN connections at the 200A goes down, the tunnel will stay up. I hope someone can explain why the traffic isn' t moving properly

Fireshield

New Member

Jason, let' s start with the basics. Do you have a Firewall Policy to allow the traffic to/from the IPSec interface?

A

Anonymous_UserAuthor

Contributor

Yes, I followed the " Redundant VPN" and " Gateway-Gateway" configurations in the IPsec VPN Version 3.0 Manual and followed the instructions. I have: Created the Phase 1 and Phase 2 settings (obviously as I can manually bring up the tunnels). With that being said, I' m not sure if I should configure the Quick Mode Selector with source/destination IPs for Phase 2. I have created addresses for both internal networks on both endpoints. I have added static routes as per instructions. I have defined ' Accept' firewall policies on both devices, for each direction, as per instructions.

Fireshield

New Member

Given that the tunnel is up, I would start with some diagnostics on each end. Try initiating a ping from an end station one network and do a packet sniff in each Fortigate: diag sniffer packet any ' icmp' 4 See if you see any traffic and what interface(s) it is hitting. Find out where it it breaking and use the session tables to make sure the traffic is hitting the correct firewall policy.

A

Anonymous_UserAuthor

Contributor

Never mind, as I should have suspected it came down to a type-o. I either need to slow down or get my eyes checked. I had the wrong IP address in a static route on the remote side. Thanks for your help.

Fireshield

New Member

Welcome to the Fat Finger Club. I believe I deserve founding member status with how many times I have dine the same.

Fireshield

New Member

LOL...see, I can' t even spell done.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded