Skip to main content
imnuan
imnuan
New Member
September 13, 2015
Question

Site 2 Site VPN (Fortigate 70D to Netgear FVS318N)

  • September 13, 2015
  • 3 replies
  • 17510 views

Hi Everyone

Im Stuck with an site to site Configuration. I was able to setup the Tunnel between Fortigate and Netgear. Configured Firewall rules. But i cant ping from either nor other side. Has some one an similar Configuration? What information do i have to provide here?

 

Regards

Christian

3 replies

Joshua_MJ
Joshua_MJ
New Member
September 13, 2015
Hey Christian have you congfigured static routes on both routers and also don't forget about the two policies to allow traffic back and forth...
imnuan
imnuanAuthor
New Member
September 14, 2015

Good Morning

 

Yes i have. But on all doc's is written that i have select VPN. But i don's see any VPN Options on Routing creation. I Just can select Network.

Bildschirmfoto 201..-14 um 08.41.02.jpg

Here is the Networkview.

wan1               46.xxx.xxx.xxx 255.255.254.0  Physical      AUTO-IPSEC 9 Road_Warroir   0.0.0.0             0.0.0.0            VPN Tunnel                    3 S2S-Flue5        0.0.0.0             0.0.0.0            VPN Tunnel                    4

 

Regards

Christian

Joshua_MJ
Joshua_MJ
New Member
September 14, 2015

Hi, find attached image of fortigate vpn tunnel creation. Also make sure that you configured the local and remote interfaces with correct ip addresses.

Somashekara_Hanumant
Staff & Editor
Somashekara_Hanumant
Staff & Editor
September 14, 2015

Hi,

 

Kindly collect the packets from the below commands to see where the packet is passing.

 

diag debug reset diag debug enable diagnose debug flow filter addr x.x.x.x diagnose debug flow filter proto 1 diag debug flow show console enable diag debug flow show function-name enable diag debug flow trace start 200

 

Where x.x.x.x is a private IP behind netgear device

 

After initiating the above commands on the SSH session, then try to ping x.x.x.x from your private IP address.

 

Cheers,

Somu

imnuan
imnuanAuthor
New Member
September 14, 2015

Hi Sumo

Here is the log:

 

id=20085 trace_id=17 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=1, 192.168.222.144:1->192.168.5.1:8) from internal. code=8, type=0, id=1, seq=26."
id=20085 trace_id=17 func=init_ip_session_common line=4569 msg="allocate a new session-0013e41b"
id=20085 trace_id=17 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.5.1 via S2S-Flue5"
id=20085 trace_id=17 func=fw_forward_handler line=671 msg="Allowed by Policy-4:"
id=20085 trace_id=17 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec interface-S2S-Flue5"
id=20085 trace_id=17 func=ipsec_common_output4 line=625 msg="No matching IPsec selector, drop"
id=20085 trace_id=18 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=1, 192.168.222.144:1->192.168.5.1:8) from internal. code=8, type=0, id=1, seq=27."
id=20085 trace_id=18 func=resolve_ip_tuple_fast line=4479 msg="Find an existing session, id-0013e41b, original direction"
id=20085 trace_id=18 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.5.1 via S2S-Flue5"
id=20085 trace_id=18 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec interface-S2S-Flue5"
id=20085 trace_id=18 func=ipsec_common_output4 line=625 msg="No matching IPsec selector, drop"
id=20085 trace_id=19 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=1, 192.168.222.144:1->192.168.5.1:8) from internal. code=8, type=0, id=1, seq=28."
id=20085 trace_id=19 func=resolve_ip_tuple_fast line=4479 msg="Find an existing session, id-0013e41b, original direction"
id=20085 trace_id=19 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec interface-S2S-Flue5"
id=20085 trace_id=19 func=ipsec_common_output4 line=625 msg="No matching IPsec selector, drop"
id=20085 trace_id=20 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=1, 192.168.222.144:1->192.168.5.1:8) from internal. code=8, type=0, id=1, seq=29."
id=20085 trace_id=20 func=resolve_ip_tuple_fast line=4479 msg="Find an existing session, id-0013e41b, original direction"
id=20085 trace_id=20 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec interface-S2S-Flue5"
id=20085 trace_id=20 func=ipsec_common_output4 line=625 msg="No matching IPsec selector, drop"

 

Regards

Christian

emnoc
emnoc
New Member
September 14, 2015

Your problem should be obvious;

 

No matching IPsec selector, drop"


 

Unless my  eyes are bad you defined a 255.255.255.255 ( host mask to your proxyids) Change that to a /24 or whatever subnet mask and you should have access

 

imnuan
imnuanAuthor
New Member
September 15, 2015

Good Morning

Problem Solved . There where 2 Issues. First one was Wrong Subnetmasking. Second was a wrong routing entry on the Netgear.

 

Thx for all the Helps.

 

Regards

Christian

Joshua_MJ
Joshua_MJ
New Member
September 15, 2015

Thanks Bra

Terms & ConditionsAccessibility statement