Skip to main content
Westcana
Westcana
New Member
November 7, 2019
Question

Unable to Ping fortigate across ipsec tunnel

  • November 7, 2019
  • 1 reply
  • 33563 views

I have an IPSec tunnel established between two Fortigate 50e's. One is at our head office and the other at a branch site. The tunnel has been up for several weeks and traffic crosses the tunnel fine. Clients on one side are able to ping clients on the other network, or the firewall on the other side without issue. 

I discovered that, from one of the firewalls, I can't ping the firewall on the other side. In fact I can't ping any device on the other network. Clients on either side can ping the other side without issue.

I'm thinking this has to be a routing issue. However I would think that the route that successfully moves traffic from the local network across to VPN tunnel to the other side would apply to the fortigate itself as well as devices on the connected networks.

 

ANy suggestions?

Thanks everyone!

 

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    November 7, 2019

    It's about the source IP when you ping from the FGT and if your setting (phase2-selectors, routes, policies) on both sides is proper to allow the ping request and reply packets for both directions.

    By default ping packets from an FGT over a VPN picks up the VPN interface IP you configured. If you're not sure what you configured, check it with CLI below:

     

      # show system interface "PHASE1_NAME"

      config system interface

          edit "PHASE1_NAME"

            set vdom "root"         set ip X.X.X.X 255.255.255.255         set allowaccess ping https ssh snmp         set type tunnel         set remote-ip Y.Y.Y.Y 255.255.255.255         set snmp-index ZZ         set interface "INTERFACE_NAME"     next end

     

    The source IP for your pinging is X.X.X.X. You need to set the tunnel environment properly to let it go/come through the tunnel.

     

    Alternatively, you can always specify the ping source IP with:

     

      # execute ping-options source "LAN_INTERFACE_IP"

     

    So that you can ping from the user subnet, which is working.

    Westcana
    WestcanaAuthor
    New Member
    November 7, 2019

    So currently the IP is showing as 0.0.0.0 255.255.255.255.

    Do I change that to the IP address of the lan interface (192.168.60.1)?

    If I make that change, will that affect all communication from the fortigate across the tunnel?

     

    The reason this comes up is because I'm trying to get the DNS service running on the branch office to slave to the active directory dns server at the head office. It appears that the fortigate at the remote office can't reach the dns server on the head office network.

     

     

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    November 7, 2019

    I would do that kind of change in a maintenance window. Because remote-IP changes on the other end. You need to change the set; local IP and remote-IP on both ends at the same time.

    For a best practice, don't use any IP in existing subnets. Pick a /30 subnet in RFC 1918 range, which doesn't exist on either side. Let's say 10.10.10.0/30. Then assign 10.10.10.1 on one end and 10.10.10.2 on the other end. When you configure it on the tunnel interface, as you saw already, subnet mast is supposed to be 255.255.255.255. Then you need to adjust those IPsec environment to allow it to reach the destination (DNS server) subnet.

     

    Terms & ConditionsAccessibility statement