Skip to main content
isei_olivier
isei_olivier
New Member
March 3, 2016
Question

Site to Site VPN and ping

  • March 3, 2016
  • 1 reply
  • 7097 views

Hello everyone

 

First please excuse my mediocre English in the rest of this post.

 

I've recently configure a Site-to-site VPN for my company between two Fortigate 60C

 

On the HQ side the fortigate is directly behind the public IP

On the Branch side the fortigate is behind a NAT router (Freebox, french internet provider), it's IP on the subnet of this router is 192.168.0.110.

 

I've managed to set up a route based VPN (Interface + static route and policies) and no issue to bring it up.

 

The issue I get is that the VPN seems to be one way only.

I can ping from Branch to HQ and connect (using local network) with a remote controle software like AMMYY but the same from HQ to Branch doesn't work. 

I'd would really appreciate your help on this topic.

I have to add that I'm not completely familiar with the Fortigate so if you ask me some logs I would need explanation to get them.

 

Thanks,

 

Olivier

 

1 reply

ede_pfau
SuperUser
ede_pfau
SuperUser
March 3, 2016

hi,

 

and welcome to the forums.

 

I can only guess that you have created a dial-in VPN, with the 'hidden' branch FGT dialing in to the HQ.

On the branch FGT, you already have a static route to the HQ network, and a policy allowing 'internal' to 'tunnel'.On the HQ FGT, you have just one policy, allowing traffic from 'dial-in tunnel' to 'internal'.

 

The HQ FGT will create an ad-hoc route when the tunnel comes up - check that in Router > Monitor. It will use this route to direct the reply traffic back to the branch.

Check the network mask of this route: /32 denotes a host route only, /24 the whole branch subnet. This will determine which hosts the HQ FGT can reach.

 

For traffic originating in the HQ, you will at least need a policy 'internal' to 'dial-in tunnel', allowing ALL services for testing.

isei_olivier
isei_olivierAuthor
New Member
March 3, 2016

ede_pfau wrote:

hi,

 

and welcome to the forums.

 

I can only guess that you have created a dial-in VPN, with the 'hidden' branch FGT dialing in to the HQ.

On the branch FGT, you already have a static route to the HQ network, and a policy allowing 'internal' to 'tunnel'.On the HQ FGT, you have just one policy, allowing traffic from 'dial-in tunnel' to 'internal'.

 

The HQ FGT will create an ad-hoc route when the tunnel comes up - check that in Router > Monitor. It will use this route to direct the reply traffic back to the branch.

Check the network mask of this route: /32 denotes a host route only, /24 the whole branch subnet. This will determine which hosts the HQ FGT can reach.

 

For traffic originating in the HQ, you will at least need a policy 'internal' to 'dial-in tunnel', allowing ALL services for testing.

Hi thanks for the reply.

 

I've configure a Static IP VPN

I've set static route on both Branch and HP pointing on the remote local subnet

I've configured policies for HQ to Branch and Branch to IQ on both side

I've use /24 as network mask.

rwpatterson
rwpatterson
New Member
March 3, 2016

The static routes need a lower distance than the default gateway distance.

Terms & ConditionsAccessibility statement