New Member

Question

[SOLVED] VPN site to site and ping

Forum|Forum|10 years ago
July 23, 2015
7 replies
41087 views

Hello all,

I've got a VPN site to site.

I had policies to join another network, VPN is up, everything seems to be ok and i can RDP a remote PC.

But ping doeens't work.

In debug, i see that only on "start" router, nothing on remote router. tracert show me that ping does not pass through ipsec...

log tracert

id=20085 trace_id=91 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=17, 10.0.5.71:137->200.200.4.12:137) from port1. "
id=20085 trace_id=91 func=init_ip_session_common line=4517 msg="allocate a new session-005e8fd0"
id=20085 trace_id=91 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-XX.XX.XX.XX via wan1"
id=20085 trace_id=91 func=fw_forward_handler line=554 msg="Denied by forward policy check (policy 0)"

log ping

id=20085 trace_id=122 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=1, 10.0.5.151:1->200.200.4.12:8) from port1. code=8, type=0, id=1, seq=539."
id=20085 trace_id=122 func=resolve_ip_tuple_fast line=4427 msg="Find an existing session, id-005eef10, original direction"
id=20085 trace_id=122 func=ipv4_fast_cb line=50 msg="enter fast path"
id=20085 trace_id=122 func=ip_session_run_all_tuple line=5489 msg="SNAT 10.0.5.151->XX.XX.XX.XX:62464"

I'm missing something but what?

Thank you.

Paul_S

New Member

are you certain ICMP is allowed in the policy? If you have all in the policy try adding TCP/UDP/ICMP and see what happens.

waaalexAuthor

New Member

Paul S wrote:
are you certain ICMP is allowed in the policy? If you have all in the policy try adding TCP/UDP/ICMP and see what happens.

Thank you for your answer.

Yes ICMP is allowed, i've allowed PING service which ICMP type 8 protocol.

I don't have a TCP/UDP/ICMP but i have TCP/UDP/SCTP.

Note : Start router is a forti 100D and remote is a 30D.

Ping is ok for other remote network but not on network that i've added.

Chura

New Member

can you run diag sniffer packet on the remote site ?

if the debug above is from the sending FW, its going out.

waaalexAuthor

New Member

Chura wrote:
can you run diag sniffer packet on the remote site ?
if the debug above is from the sending FW, its going out.

I launched this command but do not see any icmp protocol for the remote network.

When i run a tracert, it do not go through vpn, it's going out there and lost.

I have retest rdp and it's working well.

80/443 is also working.

Chura

New Member

tracert is being denied, so you won't see it go anywhere.

Please run diag sniffer packet any 'icmp'

you maybe missing the ICMP becuase its being NAT Translated.

P.S, why do you NAT between VPN networks ? its no the best practice.

Unless its a must due to network design, I highly recommend disabling this and add the relevant routing.

waaalexAuthor

New Member

Chura wrote:
tracert is being denied, so you won't see it go anywhere.
Please run diag sniffer packet any 'icmp'
you maybe missing the ICMP becuase its being NAT Translated.

P.S, why do you NAT between VPN networks ? its no the best practice.
Unless its a must due to network design, I highly recommend disabling this and add the relevant routing.

Thanks, i can see echo request from source router but nothing on remote router.

I did not configured NAT between vpn it's our IT provider. Where can you see that nat is configured?

I'm not an expert with Fortinet ^^

On all other vpn networks it work. I will ask our provider why he have configured nat on VPN. i can't change it.

Chura

New Member

id=20085 trace_id=122 func=ip_session_run_all_tuple line=5489 msg="SNAT 10.0.5.151->XX.XX.XX.XX:62464"

emnoc

New Member

FWIW; if the pings and traceroute are from the vpn-firewall, you may need to source then to use the VPN ipsec-tunnel

use the following;

execute ping-options source

the pings are probably going out the public interface of the WAN and not over the ipsec-path. If you used a ipsec-tunnel interface ( phase1-interface ) than you can dump on the tunnelname in your diagnostic sniffer packet <insert tunnel name> "icmp"

To double check. I hope this helps

Ken

waaalexAuthor

New Member

emnoc wrote:
FWIW; if the pings and traceroute are from the vpn-firewall, you may need to source then to use the VPN ipsec-tunnel
use the following;
execute ping-options source
the pings are probably going out the public interface of the WAN and not over the ipsec-path. If you used a ipsec-tunnel interface ( phase1-interface ) than you can dump on the tunnelname in your diagnostic sniffer packet <insert tunnel name> "icmp"
To double check. I hope this helps
Ken

Hello,

Command execute ping-options source made nothing.

i already have executed sniffer packet. From source, i can see icmp request. On the remote nothing.

And yes, when i do a tracert to see where ping is going, it does not pass through vpn.. and RDP is ok.. It's very strange.

Note that i can ping machines on antoher network via the same VPN. I don't know if the problem comes from policy or from vpn.

Paul_S

New Member

do you have a route setup in your source fortigate?

waaalexAuthor

New Member

Paul S wrote:
do you have a route setup in your source fortigate?

yes, i've route setup.

The wan2 is not used anymore.

0.0.0.0 0.0.0.0  DEFAULT GATEWAY   wan1   Passerelle par défaut PRI...
10.0.0.0 255.255.255.0   10.0.X.X  port1

10.0.8.0 255.255.255.010.0.X.X port1

10.0.14.0 255.255.254.0 10.0.X.X port1

10.0.98.0 255.255.255.0 ssl.root

0.0.0.0 0.0.0.0 10.0.X.Xwan2 Passerelle par défaut SEC...
10.0.7.0 255.255.255.0 10.0.X.X

port1 10.97.97.48 255.255.255.248 VPN_XXX

Sylvia

Explorer

tracert is denied because there is no matching policy for it (you are using udp-tracert).

ping: here I assume that you are using the wrong policy.

Do you configured an interface-or policy-based VPN?

Additionally the ping might be stucked in an old session on the fortigate. Please stop the ping, wait 30 seconds, then try it again (alternatively you can kill the session on the fortigate).

waaalexAuthor

New Member

Sylvia wrote:
tracert is denied because there is no matching policy for it (you are using udp-tracert).
ping: here I assume that you are using the wrong policy.
Do you configured an interface-or policy-based VPN?
Additionally the ping might be stucked in an old session on the fortigate. Please stop the ping, wait 30 seconds, then try it again (alternatively you can kill the session on the fortigate).

Hello.

The VPN is a tunneled mode vpn.

I may have a clue :

There was already a vpn site to site but all networks were not accessible.

It works for all networks but not the new (200.200.4.0)

This network is a routed network on Internet. My provider suggested me to make NAT 1 for 1 and hide the 200.200.4.0 with 192.168.200.0 for example.

Is this clue is ok?

I will make test and let you know if it's ok.

Thank you very much for help.

Sylvia

Explorer

Ok, once again to make sure that we understand your situation:- you had one VPN tunnel in tunnel mode

- this VPN was working well and you could access the remote network without problems

- now you added another remote network to this VPN - is this correct?

- here RDP is working but not ICMP?

How did you add the new remote network? Addings selectors in phase2 and adding this network to the appropriate firewall policies?

I do not think that the PUBLIC network is the problem...

Please send more information (network map, phase2 configuration, fw policies etc). Otherwise is pretty difficult to help.

(and btw - is there a reason you use tunnel mode????)

Sylvia

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded