Skip to main content
Sebix
Sebix
New Member
March 9, 2022
Question

Problem with PING between IPsec

  • March 9, 2022
  • 7 replies
  • 4266 views

Hello.

 

I have problem with PING between IPsec in my project.

My network is built partly in GNS3 and partly physically at home .
In GNS3 i have 2 devices FortiGate with IPadr: 10.1.20.1(name BYD) and 10.3.90.1(name WAW)
Physically in home i have ForitGate with IPadr: 10.0.90.1 (name GDA)

 

IP Address IPsec GDA: 192.168.0.201
IP Address IPsec BYD: 192.168.0.200
IP Address IPsec WAW: 192.168.0.203


Everything looks good but i have problem with ping from GDA to BYD and WAW.
IPsec between all sites working good, and PING from BYD and WAW goes to GDA. PING between BYD and WAW also works good.

 

IPv4 Policy BYD:

Sebix_0-1646814663926.png

IPv4 Policy WAW:

Sebix_1-1646814700405.png

IPv4 Policy GDA:

Sebix_2-1646814724133.png

In addition, I have a static route set as below
BYD:

Sebix_3-1646814804728.png

WAW:

Sebix_4-1646814816253.png

GDA:

Sebix_5-1646814826500.png

Administrative distanse everywhere 1 and blackhole 254

Someone will help solve the problem??



 

7 replies

A
Anonymous_User
Contributor
March 9, 2022

Hi,

Thank you for using Community.

Are these the screen captures when you tried pinging from GDA-BYD/WAW? If it is, it seems that the interface 'LAN' configured in GDA is not up. 


Sebix
SebixAuthor
New Member
March 9, 2022

Ping from WAW and BYD to GDA from CLI Forti

Sebix_0-1646822733221.png

PING from GDA to WAW nad BYD from CLI Forti

Sebix_1-1646822809623.png

 

A
Anonymous_User
Contributor
March 9, 2022

What I may propose is to look what is happening to the packets/traffic flow. Please try the following commands when ping:

 

diag debug enable

diag debug flow filter addr <ipaddr4>

diag debug flow trace start 1000

diag debug flow trace stop

 

 

Sebix
SebixAuthor
New Member
March 9, 2022

Ping from GDA to WAW and BYD

Sebix_0-1646823571372.png

BYD to GDA

Sebix_1-1646823752175.png

 

vponmuniraj
Staff
vponmuniraj
Staff
March 9, 2022

Hi Sebix,

 

The error "no matching IPsec selector, drop" is seen in the firewall GDA-FW. 

 

Check the traffic selectors under phase2 config (source subnet 192.168.0.x, destination subnet 10.3.90.x). Also you may share the output for diag vpn tunnel list name <VPN name> for better understanding. 

 

 

Regards,

Sebix
SebixAuthor
New Member
March 9, 2022

IPsec config GDA to WAW

Sebix_1-1646827598880.png

interface wan1 - 192.168.0.201
Phase2 GDA to WAW

Sebix_2-1646827672644.png

DIAG

Sebix_3-1646827753554.png

@vponmuniraj 
@Anonymous 

Any idea?

vponmuniraj
Staff
vponmuniraj
Staff
March 11, 2022

Hi Sebix,

 

Looking at the flow debug and the output, it looks like the ping to 10.3.90.1 & 10.1.20.1 are sourcing from IP 192.168.0.201. (probably because tunnel interface has no IP). 

 

Check the below from GDA:

exec ping-option source 10.0.90.1
exec ping 10.3.90.1
exec ping 10.1.20.1

 

 

Regards,

Sebix
SebixAuthor
New Member
March 12, 2022

Ping from GDA to WAW with source 10.0.90.1

Sebix_0-1647084572728.png

 

I tryed figure it out and 
When I add Policy rulles on WAW

Sebix_0-1647091358128.png


And BYD

Sebix_1-1647091375918.png


Then PING from GDA works fine.

Terms & ConditionsAccessibility statement