Ping CLI on web panel and SSH does not respond to FG VPN

Forum|Forum|5 years ago
November 30, 2020
1 reply
7109 views

Dear

I have the following scenario: I have two Fortigate connected via Ipsec VPN (FG 80E HQ + FG 50E BRANCH)

Behind the FG 80E HQ I have a Windows DNS server, resolving the DNS of the station behind the FG 50E. However, in the web management console of the FG 50E Branch in the DNS -> DNS Settings option, I specify DNS windows behind the FG 80E HQ. However DNS Servers is red, indicating that the Windows DNS server was not found. When pinging through the CLI console on the web panel or via SSH an error message appears, as shown in the image attached in this post. The LAN interface ip on the FG 80E HQ also does not respond to ping.

shema.jpg

brycemd

New Member

The issue in both cases is source IP. The fortigate will use the interface IP it leaves from as it's source, in this case the IPSEC tunnel. The problem being that by default that IP is going to be 0.0.0.0 so it's effectively unroutable as a source IP. Unless you want to IP your IPSEC tunnel interfaces and make them routable you need to specify the source IP.

For DNS:

config sys dns

set source-ip x.x.x.x

end

For ping:

exec ping-options source x.x.x.x

exec ping x.x.x.x

There are source ip options like this for other services as well.. LDAP, RADIUS, etc. That are useful for IPSEC tunnels.

Cleyton_Agenil_da_SiAuthor

New Member

Thanks for the tip brycemd

I configured the Tunel interface, removing the default ip 0.0.0.0 and adding the source ip (Addressing mode Manual IP 10.1.2.1/32 and remote IP / Netmask 10.1.1.1/24 - Destination IP) I tried to route IP from the IPSENC VPN interface, but I'm not getting it.

slashdes

New Member

Hi! I have the same problem. How i can make routable IP and IPsec if ?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded