Description
This article describes how to ping remote network connected via IPsec VPN.
Scope
FortiGate.
Solution
Assume the following scenario:
[ 172.31.128.0/20] ----172.31.128.1 (LAN) 81E-----ipsec vpn --------600C-------[ 172.31.144.0/20]
IPsec VPN is configured in both FortiGate-81E and FortiGate-600C.
For FortiGate-81E, network 172.31.144.0/20 is reachable via VPN and 172.31.128.0/20 is a directly connected network.
From FortiGate-81E, if the remote network IP is pinged from CLI directly, ping communication will fail.
FG81EP-2 # execute ping 172.31.147.74
PING 172.31.147.74 (172.31.147.74): 56 data bytes
--- 172.31.147.74 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
To ping the remote IP connect via IPsec VPN, set the source IP for the ping and initiate the ping.
FG81EP-2 # exe ping-options source 172.31.128.1 <----- Source FortiGate-81Eās local network connected interface IP.
FG81EP-2 # exe ping 172.31.147.74
PING 172.31.147.74 (172.31.147.74): 56 data bytes
64 bytes from 172.31.147.74: icmp_seq=0 ttl=255 time=0.5 ms
64 bytes from 172.31.147.74: icmp_seq=1 ttl=255 time=0.5 ms
64 bytes from 172.31.147.74: icmp_seq=2 ttl=255 time=0.3 ms
In certain instances, the root cause of the problem may be with the Windows PC at the receiving end. As an initial troubleshooting step, it is advisable to disable Windows Defender on the destination PC temporarily.
Furthermore, the destination PC often responds to ping requests originating from the same Internet network, while failing to respond to machines located on the opposite end of the tunnel. A potential reason could be the presence of antivirus software installed on the destination PC. To resolve this, it is recommended that Network Address Translation (NAT) be enabled in the firewall policy from the tunnel to the internal network.
Ping fails because FortiGate uses a different interface as a source based on the lowest index number. These helpful articles that provide details:
Technical Tip: Source IP for self-originating IPsec tunnel traffic
Technical Tip: Self-originating traffic over IPSec VPN (For example ping)