Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

New Contributor

IPSEC tunnel policies

1.) Have IPSEC tunnel up. (Showing in VPN-> Monitor as up.)

2.) Have seven "remote" subnets, and three "local" IP addresses. For ease of explaining, let's call them,, 10.3/16, 10.4/16, 10.5/16, 192.168.5/24, and 192.168.6/24. And then the IPs would be,, and

3.) Objects created for each single listing above. (ie, Remote1, Remote2, Remote3,...IP1, IP2, IP3.)

4.) Groups created for each "set". REMOTE_GROUP. IP_GROUP

5.) Bi-directional policies setup.

5a.) Source: REMOTE_GROUP Dest: IP_GROUP

5b.) Source: IP_GROUP Dest: REMOTE_GROUP's the weird part.  If they attempt pings from their site? Remote1, Remote3, Remote5, and Remote6 will work to ping IP1. Remote2, Remote4, and Remote7 will get a timeout error with the classic "The packet specifies its destination as..." Which is usually an ACL error in the Phase 2 setup, but we've both confirmed that the subnets match, and all looks good...


I'm stumped. Any thoughts? Advice? Anecdotes?