Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Sebix
New Contributor

Created on ‎03-09-2022 12:36 AM

Problem with PING between IPsec

Hello.

 

I have problem with PING between IPsec in my project.

My network is built partly in GNS3 and partly physically at home .
In GNS3 i have 2 devices FortiGate with IPadr: 10.1.20.1(name BYD) and 10.3.90.1(name WAW)
Physically in home i have ForitGate with IPadr: 10.0.90.1 (name GDA)

 

IP Address IPsec GDA: 192.168.0.201
IP Address IPsec BYD: 192.168.0.200
IP Address IPsec WAW: 192.168.0.203


Everything looks good but i have problem with ping from GDA to BYD and WAW.
IPsec between all sites working good, and PING from BYD and WAW goes to GDA. PING between BYD and WAW also works good.

 

IPv4 Policy BYD:

Sebix_0-1646814663926.png

IPv4 Policy WAW:

Sebix_1-1646814700405.png

IPv4 Policy GDA:

Sebix_2-1646814724133.png

In addition, I have a static route set as below
BYD:

Sebix_3-1646814804728.png

WAW:

Sebix_4-1646814816253.png

GDA:

Sebix_5-1646814826500.png

Administrative distanse everywhere 1 and blackhole 254

Someone will help solve the problem??



 

Labels:
2317
0 Kudos
8 REPLIES 8
Anonymous
Not applicable

Created on ‎03-09-2022 02:38 AM

Hi,

Thank you for using Community.

Are these the screen captures when you tried pinging from GDA-BYD/WAW? If it is, it seems that the interface 'LAN' configured in GDA is not up. 


2257
0 Kudos
Sebix
New Contributor

Created on ‎03-09-2022 02:48 AM

Ping from WAW and BYD to GDA from CLI Forti

Sebix_0-1646822733221.png

PING from GDA to WAW nad BYD from CLI Forti

Sebix_1-1646822809623.png

 

2254
0 Kudos
Anonymous
Not applicable

Created on ‎03-09-2022 02:54 AM

What I may propose is to look what is happening to the packets/traffic flow. Please try the following commands when ping:

 

diag debug enable

diag debug flow filter addr <ipaddr4>

diag debug flow trace start 1000

diag debug flow trace stop

 

 

2251
0 Kudos
Sebix
New Contributor

Created on ‎03-09-2022 03:02 AM

Ping from GDA to WAW and BYD

Sebix_0-1646823571372.png

BYD to GDA

Sebix_1-1646823752175.png

 

2244
0 Kudos
vponmuniraj
Staff
Staff

Created on ‎03-09-2022 03:46 AM

Hi Sebix,

 

The error "no matching IPsec selector, drop" is seen in the firewall GDA-FW. 

 

Check the traffic selectors under phase2 config (source subnet 192.168.0.x, destination subnet 10.3.90.x). Also you may share the output for diag vpn tunnel list name <VPN name> for better understanding. 

 

 

Regards,

Vignesh
2224
0 Kudos
Sebix
New Contributor

Created on ‎03-09-2022 04:09 AM Edited on ‎03-10-2022 12:36 AM

IPsec config GDA to WAW

Sebix_1-1646827598880.png

interface wan1 - 192.168.0.201
Phase2 GDA to WAW

Sebix_2-1646827672644.png

DIAG

Sebix_3-1646827753554.png

@vponmuniraj 
@Anonymous 

Any idea?

2217
0 Kudos
vponmuniraj
Staff
Staff
In response to Sebix

Created on ‎03-11-2022 04:41 AM

Hi Sebix,

 

Looking at the flow debug and the output, it looks like the ping to 10.3.90.1 & 10.1.20.1 are sourcing from IP 192.168.0.201. (probably because tunnel interface has no IP). 

 

Check the below from GDA:

exec ping-option source 10.0.90.1
exec ping 10.3.90.1
exec ping 10.1.20.1

 

 

Regards,

Vignesh
2176
0 Kudos
Sebix
New Contributor

Created on ‎03-12-2022 03:29 AM Edited on ‎03-12-2022 05:23 AM

Ping from GDA to WAW with source 10.0.90.1

Sebix_0-1647084572728.png

 

I tryed figure it out and 
When I add Policy rulles on WAW

Sebix_0-1647091358128.png


And BYD

Sebix_1-1647091375918.png


Then PING from GDA works fine.

2164
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.