Skip to main content
RobAvie
RobAvie
New Member
August 18, 2021
Question

Site to site Tunnel not allowing traffic to destination IP

  • August 18, 2021
  • 1 reply
  • 2555 views

Let me start off by stating that I have very little experience with Fortigate and was pushed onto this project to "fix" this. I have a vpn setup between two sites. Site A is making requests to Site B to an API on a specific (Nat'd) IP, but for some reason I cannot get traffic to that IP. I can see data coming (in the fortigate) in but nothing is making it to the specified server.

 

Below is the configuration as best as I can describe it. I am sure there is something I am missing. Site A: is not under my configuration but has been assured to be configured "properly" with no Nat'd addresses. Site B: Configuration as follows... Please let me know if you need more info. Static IPSec Tunnel:

[ul]
  • Wan interface with External (internet facing) IP address of Site A
  • Nat Traversal is enabled
  • Authentication is matched between the sites in Phase 1
  • Phase 2: Several selectors set  Local to remote[ul]
  •  Site B (Nat'd) 172.31.254.208 to Site A (prod) 123.45.67.8
  •  Site B (Nat'd) 172.31.254.208 to Site A (test) 123.45.67.9
  •  Site B (Lan) 192.168.2.4 to Site A (prod) 123.45.67.8
  •  Site B (Lan) IP 192.168.2.4 to Site A (test) 123.45.67.9[/ul][/ul]

    IPv4 Virtual IP created for the server

    [ul]
  •  (the Site B server) 172.31.254.208 --> 192.168.2.4 (Interface) IpSec Tunnel (Ref) 0[/ul]

    IPv4 policy (Note: that both of these show a caution alert that "all source interfaces are down" but IPsec tunnel shows as Status: Up)

    [ul]
  • Lan - IPSec tunnel (1-1): (Source) 172.31.254.208 (Destination) Site A Server addresses pool
  • IPSec tunnel - Lan  (3-3): (Source) Site A Server addresses pool (Destination) 172.31.254.208[/ul]

    Static Routes

    [ul]
  • (Destination) 123.45.67.8 (Interface) IPsec Tunnel (Administrative distance) 10
  • (Destination) 123.45.67.9 (Interface) IPsec Tunnel (Administrative distance) 10
  • (Destination) 123.45.67.8 (Interface) Blackhole (Administrative distance) 200
  • (Destination) 123.45.67.9 (Interface) Blackhole (Administrative distance) 200[/ul]

    I used the Forti Cookbook (https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/616440/configuring-ipsec-vpn-on-branch) to configure this originally.   Unfortunately I am at a loss as to what to try next. Any help would be appreciated.

      • 1 reply

      ac1
      ac1
      Explorer III
      August 26, 2021

      The configuration is correct.

      The Phase 2 is up when you test the traffic?

      From ip 172.31.254.208 can you ping 123.45.67.8 or 123.45.67.9?

      Terms & ConditionsAccessibility statement