FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff
Article Id 217330
Description

This article describes how to handle a scenario where the IPsec Tunnel is up and traffic seems to be leaving FortiGate but is not reaching the remote end. 

 

This article applies to all the possible scenarios mentioned below:

 

  1. FortiGate=====IPSec Tunnel=====FortiGate
  2. FortiGateVM======IPSec Tunnel====FortiGate
  3. FortiGate=====IPSec Tunnel======Third Party

 

Scope FortiGate.
Solution

Follow these steps: 

 

  1. Verify the IPSec ports being used on FortiGate using the following commands.

 

diagnose vpn ike gateway list name <tunnel_name>

diagnose vpn tunnel list name <tunnel_name>

 

  1. If port 500 is being used, try to switch the connectivity to port 4500. 

 

config vpn ipsec phase1-interface

edit "VPN-Phase1"

set nattraversal forced

end

 

Make sure NAT-Traversal is also enabled on the remote end on a Third-party device.

 

  1. Flush the tunnel.

 

diagnose vpn tunnel flush <tunnel_name>

diagnose vpn ike  gateway flush name <tunnel_name>

 

  1. Verify if the connectivity is established on port 4500 using the same commands in the first step. 
  2. Initiate the traffic and it could work after this.