Skip to main content
ITadm
ITadm
New Member
September 4, 2018
Question

[SOLVED] IPsec VPN tunnel between Watchguard and Fortigate is UP/traffic one way

  • September 4, 2018
  • 1 reply
  • 39410 views

Hello,

 I struggle with a site-to-site VPN tunnel between 2 locations. I use Watchguard Firebox XM200 and Fortigate 30E. It looks like this:

 

WatchGuard 192.168.0.1 (or 1.1) ----------> net ------------> Fortigate 30E 10.113.14.1

 

Traffic goes only from 192.168.0.1 to 10.113.14.1, the opposite site doesn't work at all, I cannot even ping anything. The better explanation below:

 

 

Here is the setup from FGT:

And here is Watchguard:

 

BOVPN Gateway Settings: T Tunnels: T IKE Version: IKEv1 Credential Method: Pre-shared Key Endpoints Endpoint 1 Local Interface: WAN-FC_ Local ID: 77. (IP Address) Remote IP Address: 91. Remote ID: 91. (Domain Name) (when set as IP address it gives ID error) Phase 1 Settings Mode: Main NAT Traversal: Disabled IKE Keep-alive: Disabled Dead Peer Detection: Enabled (20 second timeout, 5 max retries) Auto Start: Yes Transforms Transform: 1 Authentication: MD5 Encryption: DES SA Life: 24 hours Key Group: Diffie-Hellman Group 5 BOVPN Tunnel Settings: T BOVPN Gateway: T Tunnel Routes Route 1 Local: Any Remote: 10.113.14.0/24 Direction: bi-directional Allow Broadcast: No Route 2 Local: Any Remote: 10.10.6.0/26 Direction: bi-directional Allow Broadcast: No Route 3 Local: Any Remote: 10.10.6.128/28 Direction: bi-directional Allow Broadcast: No Phase 2 Settings Perfect Forward Secrecy: Enabled (Diffie-Hellman Group 14) IPSec Proposals Proposal 1 Name: ESP-DES-MD5 Type: ESP Authentication: MD5 Encryption: DES Key Expiration: 8 hours Multicast Settings Multicast over tunnel: Disabled Origination IP: Group IP: Send multicast traffic on: Receive multicast traffic on: Helper Addresses Local IP: Remote IP:   And of course Any policy on firewall both sides (allow.in & allow.out).   Here is how it works: there are no VPN tunnel errors, tunnels are up, I have full access from Watchguard to Fortigate, all ports and protocols, but from the other side I can't even ping 192.168.0.1 or 192.168.1.1. In Fortiview I can see that packets go to RA tunnel, but I cannot see anything coming at Watchguards Traffic Monitor.   I desperately need help!  

1 reply

Ashik_Sheik
Ashik_Sheik
New Member
September 4, 2018

Hi 

 

Configuration looks fine , try to define remote subnet in Phase2 and check.

 

Regds,

 

Ashik

 

 

 

 

ITadm
ITadmAuthor
New Member
September 4, 2018

Thanks for quick reply! I've just defined it as 192.168.0.0/24, tunnel is up, but still no traffic from one side:

 

Pinging 10.113.14.150 from 192.168.0.40 and opposite site:

 

 

In addition:

 

 

Destination interface is RA_DC interface tunnel, so this one looks fine, but there is no trace of these packets on WatchGuard traffic monitor (log on both in & out firewall policies is on).

Ashik_Sheik
Ashik_Sheik
New Member
September 5, 2018

Traffic not going could be issue with static route or policies ..Just make sure static route to each side and destination to tunnel is correct and as well as policies on both sides.

 

Regds,

 

Ashik

Terms & ConditionsAccessibility statement