Skip to main content
Juquinha
Juquinha
New Member
May 7, 2020
Question

Security Fabric - No response from upstream Fortigate

  • May 7, 2020
  • 1 reply
  • 6324 views

Hi All!

 

I'm testing security fabric and I'm having some trouble to get it working. I have set up my core and a branch FGs to work with security fabric, through an IPSec tunnel. The interfaces are configured as many documentations on the web and I see the packets comming from branch with IP of core firewall, on destination port 8013. The thing is that my core firewall does not respond to these packets.

 

I've searched for troubleshooting commands, but they are few and not that useful.

 

Additionally: is it REQUIRED to have IP Address on the IPSec interface? Because I do not see why it should be required.

1 reply

HaTiMuX
HaTiMuX
New Member
June 5, 2020

Hi,

 

Did you run diag debug flow to see why the core FG is not responding ?

I don't know which documentation did you follow but here is an example:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/75456/configuring-tunnel-interfaces

 

I think an IP address is required on the IPSEC interface because the fortigate itself is initiating traffic and it needs an IP on the tunnel interface to be able to communicate.

Juquinha
JuquinhaAuthor
New Member
June 5, 2020

Hello, Hatimux!

 

Actually, I did a sniffing analysys and discovered that the mu branch FG was sending the packets with the Wan IP Address as the source-addr. I added this address on my phase 2 configuration and it didn't succeeded.

 

It only worked when I configured IP addresses in the IPSec interface in both sides, in a lab enviroment. It seems that yes, it is mandatory. This is a sad thing, because we do not use addresses on our IPSec interfaces normally, as it is not needed for traffic to flow.

 

Fortinet could handle this by giving an option to change de source address, as we have, for example, 

LDAP or RADIUS server.

neonbit
neonbit
New Member
June 5, 2020

I normally create a loopback interface on the core FGT, create an allow policy from VPN to loopback on the core, then ensure the remote sites have routes to this loopback via the VPN, then have a SDWAN rule on the remote sites to send the loopback traffic via the VPN/SDWAN overlay.

 

This will still need IP addresses on the IPSEC VPNs, but if you're doing dialup VPNs you can use mode-config and have the branch offices get an IP address automatically so you don't have to manage them.

Terms & ConditionsAccessibility statement