Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Juquinha
New Contributor

Security Fabric - No response from upstream Fortigate

Hi All!

 

I'm testing security fabric and I'm having some trouble to get it working. I have set up my core and a branch FGs to work with security fabric, through an IPSec tunnel. The interfaces are configured as many documentations on the web and I see the packets comming from branch with IP of core firewall, on destination port 8013. The thing is that my core firewall does not respond to these packets.

 

I've searched for troubleshooting commands, but they are few and not that useful.

 

Additionally: is it REQUIRED to have IP Address on the IPSec interface? Because I do not see why it should be required.

4 REPLIES 4
HaTiMuX
New Contributor III

Hi,

 

Did you run diag debug flow to see why the core FG is not responding ?

I don't know which documentation did you follow but here is an example:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/75456/configuring-tunnel-interfaces

 

I think an IP address is required on the IPSEC interface because the fortigate itself is initiating traffic and it needs an IP on the tunnel interface to be able to communicate.

Juquinha

Hello, Hatimux!

 

Actually, I did a sniffing analysys and discovered that the mu branch FG was sending the packets with the Wan IP Address as the source-addr. I added this address on my phase 2 configuration and it didn't succeeded.

 

It only worked when I configured IP addresses in the IPSec interface in both sides, in a lab enviroment. It seems that yes, it is mandatory. This is a sad thing, because we do not use addresses on our IPSec interfaces normally, as it is not needed for traffic to flow.

 

Fortinet could handle this by giving an option to change de source address, as we have, for example, 

LDAP or RADIUS server.

neonbit
Valued Contributor

I normally create a loopback interface on the core FGT, create an allow policy from VPN to loopback on the core, then ensure the remote sites have routes to this loopback via the VPN, then have a SDWAN rule on the remote sites to send the loopback traffic via the VPN/SDWAN overlay.

 

This will still need IP addresses on the IPSEC VPNs, but if you're doing dialup VPNs you can use mode-config and have the branch offices get an IP address automatically so you don't have to manage them.

Juquinha

The thing is that we are not intending to configure ip addresses on the IPSec interfaces of all equipments we have. We do not use dial up VPN's but as well we would need to have an effort on configuring the interface adddresses, and that is something I was trying to avoid.

 

It is a good ideia to have a loopback interface for that. May Fortinet has an reason to not allow this traffic with no addresses. Who knows...

Labels
Top Kudoed Authors