Skip to main content
aguerriero
aguerriero
Explorer
October 4, 2022
Question

policy vpn with vpn concentrator not passing traffic between spokes 7.0.5

  • October 4, 2022
  • 2 replies
  • 1233 views

I can get a dial up vpn going and the ipsec policy works fine but spoke to spoke traffic does not work when a concentrator is added.

Debug flow shows packets ingressing from spoke1 and egressing to spoke2. The problem is that return traffic from spoke 2 is never processed by the fortigate. The flows show absolutely nothing.

The reverse path is also the same. traffic from spoke 2 to spoke 1 are received at spoke 1 but the fortigate does not process the return traffic from spoke 1.

I tried this out on 6.2.10 and the flow showed the traffaic being dropped by policy 0.  After moving to a different firewall running 7.0 I now get good policy matches but no return traffic is processed.

Capturing packets on the underlay definetely shows return traffic making it to the fortigate.

2 replies

Anthony_E
Staff
Anthony_E
Staff
October 7, 2022

Hello aguerriero,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Best Regards
abelio
SuperUser
abelio
SuperUser
October 7, 2022

Hello

Did you already check 'net-device' setting?
If not, here is explained in detail:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-set-net-device-new-route-based-IPsec-logic/ta-p/193618

aguerriero
aguerrieroAuthor
Explorer
October 7, 2022

I am not using ipsec interface. net-device is not an option.

Terms & ConditionsAccessibility statement