Skip to main content
CliffPaj
CliffPaj
New Member
October 31, 2017
Question

VPN - Unable to Ping Remote Gateway IP once VPN is established

  • October 31, 2017
  • 1 reply
  • 18234 views

Hi Guys,

 

First of all, I am not sure if this was raise already but I just need some clarification about the routing on Route-based IPSec VPN.

The scenario was, I was building a route-based site-to-site ipsec tunnel between FortiGate and Cisco router.

I was able to bring the tunnel up, dynamic routing is working and hosts from both ends are able to reach each other.

 

However, I was wondering that once the VPN is established, FortiGate can no longer PING Cisco's public IP.

It seems the routing to Cisco's public address is been rerouted to the vpn tunnel interface instead of keeping it on the default route on its wan interface.

====================================

FGT# get router info routing-table details 114.8.24.6 Routing entry for 114.8.24.6/32   Known via "connected", distance 0, metric 0, best   * is directly connected, vpn_tunnel2

====================================

 

Is there a way or a tweak to still enable the Fortigate to ping its vpn peer IP even if the VPN is established?

 

 

 

Thanks,

Cliff

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    October 31, 2017

    Are you using the tunnel interface IP on the FortiGate, not the public IP, as the peer/neighbor IP for your routing protocol? Regularly problem like this is on Cisco side's access-list because it requires an explicit deny statement not to go into the tunnel.

    CliffPaj
    CliffPajAuthor
    New Member
    November 1, 2017

    Hi Toshi,

     

    Thank you for the reply.

    There is no access list from Cisco side, we noticed that on all vpn tunnels we had.

    Our Hub is Cisco, and all Fortigate that have vpn tunnels to it have the same results.

    Unlike some our site that has Cisco to Cisco route-based (GRE/IPSec) tunnels, we can still ping both ends public IPs even if the tunnel is established.

     

    So like my colleagues question to me is why does Fortigate put a static route to the peer's IP address pointing to the vpn tunnel once the tunnel is established.

     

     

    Thanks,

    Cliff

     

     

     

     

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    November 1, 2017

    Does the remote IP address fall into the phase2 Quick Mode selectors?

    Terms & ConditionsAccessibility statement