Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ergalez
New Contributor

IP Sec Tunnel Interface is UP, but i can't do a ping to remote pc

Hi, I have 2 fortigates a 60E and a 20C I have established the IPSec tunnels for site-to-site vpn. The tunnel in both fortigates appears to me to be up, but I cannot ping between the lan networks. I have set the static route and added the access policies. I don't know what else to do. And if I check the IPSec monitor, I see that there is incoming and outgoing traffic.evidencia.png

22 REPLIES 22
ergalez

Thank so much for your support.

Here is the output of the sniffer in 60E:

ergalez_0-1638338333198.png

 

And here is the output in 20C.

ergalez_1-1638338502426.png

 

I think the ESP packets are arriving.

 

And yes in 20C are 2 more IPSec tunnels and it's working fine.

ergalez_2-1638338659131.png

 

And in the 60E are 1 more tunnel and work's fine.

ergalez_3-1638338731589.png

 

It seems that everything is fine, but I don't know what more tests I can do. I'm afraid I have no other device to test :(

Shivasagar

The only option I can suggest now is to disable the tunnel to bring down the connection and initiate traffic from the 60E end so the tunnel comes up using NAT-T[4500], I can see from the sniffer it's still using port 500.

ergalez

Thank you!

 

So what I have to do is go to:
1. IPSec monitor and bring down the tunnel or Go to Network-> Interfaces-> WAN-> Tunnel interface-> Disable

And once the tunnel is disabled, I ping from my lan network behind the fortigate 60E, right? And alone he has to get up

Shivasagar

You can use "diagnose vpn tunnel flush <name>" to clear the SA's from both ends. After which just initiating a ping from a machine behind 60E should bring up the tunnel.

ergalez

Thank you, i did the flush command in both Fortigates, but the tunnel is going up after that without i do a ping. 

 

And then i ran the sniffer command in both fortigates, but the packets still use the 500 port and not the 4500. 

diag sniffer packet any 'host <peer public ip' 6 0 a

 may i need to reset the tunnel o do it again?

ergalez

.

sw2090
Honored Contributor

Are you sure the tunnel is up competely? In Firmware prior to 6.4 the IPSec Monitor (and also the ike debug log) do not show Phase2. Since 6.4 it does show phase2 at least in IPSec Monitor.

So maybe your Phase1 came up and the tunnel is marked as up in monitor but phase2 is not up.  Unfortunately that is rather hard to debug as there is no logs for Phase2 :(

The result would be that no traffic can yet pass your tunnel...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
ergalez
New Contributor

Hi sw2090 thank your for your time.

 

I follow this link to troubleshooting the IPSec phases.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-IPsec-VPNs/ta-p/195955?ext...

 

And if run this command in my Fortigate 60E, the status of Phase1 is established.

ergalez_0-1638367634816.png

 

And if i check the Phase 2, the SA =1 that i think the indicates IPsec SA is matching and there is traffic between the selectors

 

ergalez_1-1638367827949.png

 

I honestly don't know what else to do, I've thought about restarting the Fortigates but I'm afraid that the other VPNs that I have configured will stop working as well.

 

sw2090
Honored Contributor

yes it does. So Tunnel is up completely. 

Did you try to flow trace the traffic to see if it matched policies and routing is correct?

 

diag debug enable

diag debug flow filter daddr=<destinationip>

diag debug flow filter saddr=<sourceip>

diag debug flow trace start <numberofpackets>

 

that will show you what the FGT does with the traffic.

FGT uses the routing table to determine the path to the destination in Step #1

In Step #2 it looks for a matching policy. It does top down and the first match will win the packet.

If there is no policy that matches it would hit policy #0 (which is the deny everything from/to everywhere one). 

However the fact that the tunnel is up tells me that there has to be at least one policy that references it (because otherwise it would not come up). However that does not neccessarily mean that it matches your traffic...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Sylvan
New Contributor

Could you please check if you are filtering the traffic that is traversing the VPN on your phase 2? If the static route is correct, if the security policies are correct, then the only thing I can think of is the phase 2 configuration. 

Labels
Top Kudoed Authors