Skip to main content
Cleyton_Agenil_da_Si
Cleyton_Agenil_da_Si
New Member
November 11, 2020
Solved

VPN site to site between Fortigate

  • November 11, 2020
  • 1 reply
  • 5029 views

[style="vertical-align: inherit;"][style="vertical-align: inherit;"]Caro, [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]tenho o seguinte problema. [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]Configure a conexão VPN site a site com dois fortigate HQ FG 80E e Branch 60E. [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]A VPN funciona perfeitamente, as máquinas de ambos os lados se comunicam com sucesso. [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]Porém, as caixas Fortigate não respondem ao ping em si no modo CLI, eu executo o comando em ambas as caixas com "execute ping + ip".[/style][/style]

 

[style="vertical-align: inherit;"][style="vertical-align: inherit;"]Mostra a mensagem[/style][/style]

 

[style="vertical-align: inherit;"][style="vertical-align: inherit;"]FILIAL # executa ping 192.168.254.99 <- IP HQ FG 80E [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]PING 192.168.254.99 (192.168.254.99): 56 bytes de dados[/style][/style]

[style="vertical-align: inherit;"][style="vertical-align: inherit;"]--- 192.168.254.99 estatísticas de ping --- [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]5 pacotes transmitidos, 0 pacotes recebidos, 100% de perda de pacotes[/style][/style]

[style="vertical-align: inherit;"][style="vertical-align: inherit;"]HQ # execute ping 192.168.247.99 <- IP FILIAL FG 60E [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]PING 192.168.247.99 (192.168.247.99): 56 bytes de dados[/style][/style]

[style="vertical-align: inherit;"][style="vertical-align: inherit;"]--- 192.168.247.99 estatísticas de ping --- [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]5 pacotes transmitidos, 0 pacotes recebidos, 100% de perda de pacotes[/style][/style]

 

[style="vertical-align: inherit;"][style="vertical-align: inherit;"] thanks for the help[/style][/style]

    Best answer by emnoc

    Ola

    como v.c vai?

     

    Desculpe meu portugues esta mal

     

    Silvia você precisa habilitar permitira ping de acesso na gui pela interface ou via cli

    por exemplo

      

    config sys interface edit lan set allowaccess ssh https ping end

     

    Você pode verificar e adicional ping?

     

    Ken Felix

    1 reply

    emnoc
    emnocAnswer
    New Member
    November 12, 2020

    Ola

    como v.c vai?

     

    Desculpe meu portugues esta mal

     

    Silvia você precisa habilitar permitira ping de acesso na gui pela interface ou via cli

    por exemplo

      

    config sys interface edit lan set allowaccess ssh https ping end

     

    Você pode verificar e adicional ping?

     

    Ken Felix

    Cleyton_Agenil_da_Si
    Cleyton_Agenil_da_SiAuthor
    New Member
    November 12, 2020

    Hello Ken Felix

    Thanks for your tip, but your suggestion will not work, as I am pinging between two fortigate connected with VPN. That is, I am pinging from gateway to gateway. For example:

    HQ IP WAN 200.189.180.157/28 Tunel HQ 0.0.0.0/0.0.00 LAN 192.168.254.99/24 allowaccess ssh https ping

     

    HQ# execute ping 192.168.247.99 FG BRANCH PING 192.168.247.99 (192.168.247.99): 56 data bytes

    --- 192.168.247.99 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss

    -------------------------------------------------- -------------------------------------------------- ----

    BRANCH WAN 179.178.158.144/28 TUNEL BRANCH 0.0.0.0/0.0.0.0 LAN 192.168.247.99/24 allowaccess ssh https ping

     

    BRANCH# execute ping 192.168.254.99 PING 192.168.247.99 (192.168.254.99): 56 data bytes

    --- 192.168.254.99 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss

    emnoc
    emnoc
    New Member
    November 12, 2020

    Okay that is easy, do a  diag sniffer packet any "host 192.168.247.99 and icmp " 4

     

    What interface do you see the pings going out of when you do the ping from HQ ? what source address? It's probably the WAN. If you have ipsec-interfaces ip address and maybe if you source from LAN address the traffic might or should go out of the ipsec interface. Do the above and paste the output of the sniffer here for analysis.

     

    Ken Felix

    Terms & ConditionsAccessibility statement