- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Routing issue over wan
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing issue over wan
Hi all
I am wondering if someone can point me in the right direction here.
I have two Fortigates connected via ipsec vpn.
Site B's internal interface is 192.168.3.0/24 , wifi is 10.1.2.0/24
Site A's internal interface is 192.168.2.0/24
I have setup firewall policies and static routes for these ip ranges to the VPN objects in each Fortigate.
Clients on the internal interfaces can ping / communicate with the other sides internal interface, but clients on the Site B's wifi cannot.
I have also updated the remote subnet address group to include the 10.1.2.0/24 in site A's firewall policy
Would this be because in my vpn tunnel phase 2 I have specified the local and remote ip ranges instead of using 0.0.0.0/0 ?
A tracert from Site B's wifi to Site A's internal will show the first hop as hitting the wifi interface ip at site B , then nothing
Thanks for any assistance
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you specify the both subnet in quick mode selector (you can create 2 phase2) ? you should have:
192.168.2.0/24 - 192.168.3.0/24
192.168.2.0/24 - 10.1.2.0/24
Lucas
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you specify the both subnet in quick mode selector (you can create 2 phase2) ? you should have:
192.168.2.0/24 - 192.168.3.0/24
192.168.2.0/24 - 10.1.2.0/24
Lucas
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Lucas
No I didn't, I am guessing this is the cause of my issue.
I am unable to add a second phase 2 selector in the web gui by the looks without redoing the vpn setup.
Am I able to just edit the phase 2 in CLI and change it from specified ip ranges to 0.0.0.0/0 and expect it to behave?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which firmware do you use ?
you can create the second phase2-interface in CLI (config vpn ipsec phase2-interface, and copy your first phase2 configuration)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And you should beable to craft the 2nd phaseintf and bind it to the named phase1. What the previous poster stated is what I find the easiest. use the cli and copy the 1st phase2-cfg, rename it xxxxx-002 and change the appropiate src/dst subnet and paste it in.
Than your diag debug vpn tunnel list name <xyz> will show the additional phase2 statistics.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks all
I edited the phase 2 vpn and used unset , to unset the ip ranges, this took them back to 0.0.0.0/0, and it is now working as expected
Related Posts
- can not config anti-repay in fortigate... 115 Views
- Mobile app for VPN 70 Views
- Disable forticlient on startup 63 Views
- Split Tunnel with SSL VPN and... 107 Views
- BGP Peering - My Fortigate -... 143 Views
Labels
-
FortiGate
6,496 -
FortiClient
1,298 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
NAT
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.