FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff
Article Id 195439

Description


This article describes how to ping remote network connected via IPsec VPN.

 

Scope

 

FortiGate.

Solution


Assume the following scenario:
                                                          
[ 172.31.128.0/20] ----172.31.128.1 (LAN) 81E-----ipsec vpn --------600C-------[ 172.31.144.0/20]

IPsec VPN is configured in both FortiGate-81E and FortiGate-600C.
For FortiGate-81E, network 172.31.144.0/20 is reachable via VPN and 172.31.128.0/20 is a directly connected network.

From FortiGate-81E, if the remote network IP is pinged from CLI directly, ping communication will fail.

 

FG81EP-2 # execute ping 172.31.147.74
PING 172.31.147.74 (172.31.147.74): 56 data bytes

--- 172.31.147.74 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

To ping the remote IP connect via IPsec VPN, set the source IP for the ping and initiate the ping.

 

FG81EP-2 # exe ping-options source 172.31.128.1                                <----- Source FortiGate-81Eā€™s local network connected interface IP.
FG81EP-2 # exe ping 172.31.147.74
PING 172.31.147.74 (172.31.147.74): 56 data bytes
64 bytes from 172.31.147.74: icmp_seq=0 ttl=255 time=0.5 ms
64 bytes from 172.31.147.74: icmp_seq=1 ttl=255 time=0.5 ms
64 bytes from 172.31.147.74: icmp_seq=2 ttl=255 time=0.3 ms

 

 

In certain instances, the root cause of the problem may be with the Windows PC at the receiving end. As an initial troubleshooting step, it is advisable to disable Windows Defender on the destination PC temporarily.


Furthermore, the destination PC often responds to ping requests originating from the same Internet network, while failing to respond to machines located on the opposite end of the tunnel. A potential reason could be the presence of antivirus software installed on the destination PC. To resolve this, it is recommended that Network Address Translation (NAT) be enabled in the firewall policy from the tunnel to the internal network.


Ping fails because FortiGate uses a different interface as a source based on the lowest index number. These helpful articles that provide details:
Technical Tip: Source IP for self-originating IPsec tunnel traffic

Technical Tip: Self-originating traffic over IPSec VPN (For example ping)