Skip to main content
BeerAdmin
BeerAdmin
New Member
July 15, 2022
Question

Multisite traffic over IPSEC VPN Issue.

  • July 15, 2022
  • 2 replies
  • 1767 views

I've got a scenario where I can't seem to get traffic between two sites, to route to a third site over an IPSEC VPN.

 

Here's the Setup

 

Site A Fortigate (remote site) --private WAN connection--Site B Fortigate (Primary Site)--IPSEC VPN--Site C (subsidiary site) Palo Alto 

 

I have an IPSEC tunnel setup between Site B and Site C with 2 Phase 2 selectors one for a subnet at Site B, which is working, and one for a subnet at site A which is not working.

 

Testing has produced the following results:

Tracert from Site A to Site C, stops at the Private WAN interface on the Fortigate at site B


Starting a ping from Site A to Site C:

Packet capture on the Site A Fortigate  looking for traffic to Site C shows packets sent but not received

Packet capture on the Site B Fortigate looking for traffic to Site C shows packets sent but not received

 

Policies on both Site A and B Fortigates show traffic.

 

I'm at a loss as to where to go with troubleshooting. Policy lookups at Site A show the traffic is allowed, the same for Site B. I don't have access to the Palo Alto at Site C, as it's a subsidiary. 

2 replies

BeerAdmin
BeerAdminAuthor
New Member
July 15, 2022

Was going crazy. Turns out the admin had forgotten to put in a static route to the subnet at Site A.

ntaneja
Staff & Editor
ntaneja
Staff & Editor
July 17, 2022

Hi Beeradmin

 

Great that you found and fix the issue.

Below is the link you can keep handy for IPSEC troubleshooting in case you need anytime in future

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-IPsec-VPNs/ta-p/195955

 

Thanks

Terms & ConditionsAccessibility statement