Skip to main content
ast1300n
ast1300n
New Member
October 31, 2017
Question

Setting source-IP on IPSEC VPN interface

  • October 31, 2017
  • 1 reply
  • 42044 views

Several cookbooks and VPN manuals reference the following in their troubleshooting sections:

 

"On some FortiGate units, such as the FortiGate 94D, you cannot ping over the IPsec tunnel without first setting a source-IP. In this scenario, you must assign an IP address to the virtual IPSEC VPN interface. Anything sourced from the FortiGate going over the VPN will use this IP address."

 

How do I set the source-IP of my IPSEC VPN interface?  I'd like to be able to ping from our firewalls to each other after creating the tunnel.

      1 reply

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      October 31, 2017

      Go to either GUI "Network->Interface" and select your tunnel interface name then "Edit".

      There should be "Address" section includes "IP" and "Remote IP". You can use any IPs but both go into the routing table as connected /32 routes. Then make sure you allow "PING" in "Restrict Access" section.

      tanr
      tanr
      New Member
      October 31, 2017

      I don't think the GUI exposes the source IP for IPsec interface vpns in 5.4.x.  It only allows you to set the remote IP.  I have set my local ip through the CLI as follows:

       

      conf vpn ipsec phase1-interface

        edit <ipsec-name>

          set local-gw IP.IP.IP.IP

        end

       

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      November 1, 2017

      It should let you. The attachment is from my home FG50E w/ 5.4.6.

      Terms & ConditionsAccessibility statement