Skip to main content
FeM_User
FeM_User
New Member
April 14, 2020
Question

Strange behavior for a dialup VPN unable to ping from one side but other OK (in part)..

  • April 14, 2020
  • 2 replies
  • 4264 views

Hi forum.

I have not too much experience with Fortigate VPN but I have searched the forum and did not found the answer to my question since my setup is very unlikely.

I needed to connect two offices via two identical Fortigate 30E and due to internal policies of the company, while HQ_1 uses the Fortigate as Router and firewall and has its WAN directly connected to the Public IP address,  the HQ_2 uses a proprietary router and their Fortigate 30E WAN is connected to one LAN port of the router in the internal subnet.

Have forwarded inside the proprietary router 4500 and 500 pointed. 

I have drawn the configuration in order to explain better my case.

In order to instantiate a VPN between the two offices, I have followed the good guide and different thread I have found in this forum. And the VPN is up.

However following problems occur:

 

inside the CLI of Fortigate HQ_2 (the one behind the NAT) I can ping and see:

Fortigate of HQ_1

all devices in subnet of Office 1.

inside the CMD line of  any device inside subnet of HQ_2 (the one behind the NAT) I cannot ping nor see devices in subnet of Office 1.

And

inside the CLI of Fortigate HQ_1 I cannot ping FortigateRouter2, the local IP address of proprietary router nor any devices in subnet of Office 2.

    but:

inside the CMD of any device inside subnet of HQ_1 (the one behind the NAT) I ping successfully FortigateRouter2, but cannot all devices in subnet of Office 2.

 

 

So the question is:

 

Does such a configuration present some major error?

Can anone help to explain this?

 

Best regards and thank You all

 

Steve

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    April 14, 2020

    It's about the 3rd party router, more than about FG30E, at HQ.2. Your set-up is "VPN FW on a stick". If the LAN1 and LAN2 on the router are just switch port with 1 interface IP like .254 it would probably work with the default GW pointing  to.253 at all devices including the PC1 in the diagram. Otherwise, the router needs to have a static route for 192.168.3.0/24 toward .253.

     

    But what I really recommend it put the 30E at HQ.2 in-line between the router and all devices by assigning a /30 subnet between the router and the 30E. It would make all troubleshoot much easier.

    FeM_User
    FeM_UserAuthor
    New Member
    April 14, 2020

    Thank You really, Toshi Esumi, for your quick reply.

    When you say: "Otherwise, the router needs to have a static route for 192.168.3.0/24 toward .253" you mean obviously the 3rd part router right?  I think yes but need confirmation.

    So all the local subnet traffic (also non VPN) should first pass via Fortigate, right?

     

    Sadly putting it in-line is not permitted by IT manager of the company.

    Thank You again.

    Regards

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    April 14, 2020

    Yes. The bottom line is the packets destined to 192.168.3.0/24 at HQ.2 need to hit the 30E to get into the tunnel. So either by default gateway at each device or static route at the router if that's the default GW.

    Terms & ConditionsAccessibility statement