Site to Site VPN - Tunnel showing up but no traffic passed

Forum|Forum|16 years ago
March 24, 2010
3 replies
6153 views

I' ve configured a site to site VPN using a Fortinet 60 and a Fortinet 50A. If I go to Firewall -> VPN -> monitor on either of these devices the tunnel shows as up. However, I can' t ping between the subnets. I have ofcourse configured a Firewall Policy to allow 192.168.x.0/24 traffic going to 192.168.y.0/24 traffic to be sent on the link. Any suggestions on what I may be doing wrong? One of these devices is behind an ISP router but I have configured the router to forward IKE and port 4500 (before doing this the tunnel wouldn' t come up). Thanks in advance,

rwpatterson

New Member

Welcome to the forums. Is the tunnel configured in route mode (action ENCRYPT), or interface mode? If the latter, you need to make a static route for subnet 192.168.(x|y).0/24 down the appropriate interface (tunnel). If not done in interface mode, the FGT will attempt to pass the traffic back out via the default gateway (Internet) and it will fail. Hope that helps

A

Anonymous_UserAuthor

Contributor

Thanks for the fast response. I' m not sure that I understnad what your referring to. Here is how I have my rule configured:

A

Anonymous_UserAuthor

Contributor

While configuring this I used the " Configuration example for Policy based Site-to-Site IPSec VPN - FortiGate to FortiGate in NAT mode" on kb.fortinet.com found here: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30023&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=4589386&stateId=0%200%204587565 Is there any other way to do this?

A

Anonymous_UserAuthor

Contributor

are you able to connect any device?? or is it the issue with only the pinging? Because if its a forwarded IKE from a ISP gateway, then there you might need to permit the icmp request for the ipsec connections..

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded