Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dave-teoh
New Contributor

Urgent- IP Sec VPN between Fortifate 80E and 100D

Dear All Guru,

 

i need urgent help. i have a 100D (V6.2.10)  in HQ office. i was able to create Site to site VPN to two other site office which is using 100D as well.

 

Recently we have added a site office ( we called it C)  which is using 80E ( v7.0.5). i manage to create and bring up IPSEC tunnel between HQ and C.

 

from C

- C fortigate 80E able to ping HQ fortigate 100D

- C server able to ping HQ server IP

 

from HQ

- HQ Fortigate 100D able to ping C fortigate 80E

- HQ Server not able to ping C Server IP.

 

The IPSEC tunnel already up between the 2 fortigate device, both device can ping to each other.  but the server from the HQ cannot access to the C network. i have tried open entire subnet for both side access but it is still not working. any idea if i miss out any setting?  Please help!

 

 

1 Solution
kcheng

Hi Dave,

 

Good day to you. If the respective traffic is meant to go out via IPSec tunnel CCECC-M1 IPSec tunnel, then your direction of the same subnet being used in both tunnels is correct. The traffic from 10.0.100.60 has been forwarded to Ent-M1 IPSec tunnel due to the conflict:

id=20085 trace_id=1 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.1.251 via Ent-M1"

 

You may want to consider changing the IP address scheme on CCECC site, or configure NAT between the tunnel to isolate CCECC-M1 and Ent-M1 IP addresses. Please refer to the following document for the idea of NATting the remote IP:

Cookbook | FortiGate / FortiOS 6.0.0 | Fortinet Documentation Library

Cheers,
Kayzie Cheng

View solution in original post

12 REPLIES 12
seshuganesh
Staff
Staff

HI Team,

 

Can you please check if windows firewall is enabled in C server may be that would be preventing the connection.

Also, just for testing can you enable NAT in VPN to LAN firewall policy, then check if it is pingable or not?

dave-teoh

Thanks for your reply


i have tried enable NAT - still cannot.
both HQ Server and C server firewall has turn off. still cannot.

 

the strange things is I'm able to ping the C server IP from the HQ firewall by running below command.
exe ping-options source 10.0.100.1
exe ping 192.168.1.251

PING 192.168.1.251 (192.168.1.251): 56 data bytes

64 bytes from 192.168.1.251: icmp_seq=0 ttl=127 time=4.8 ms

64 bytes from 192.168.1.251: icmp_seq=1 ttl=127 time=5.1 ms

64 bytes from 192.168.1.251: icmp_seq=2 ttl=127 time=4.6 ms

64 bytes from 192.168.1.251: icmp_seq=3 ttl=127 time=4.7 ms

64 bytes from 192.168.1.251: icmp_seq=4 ttl=127 time=4.6 ms

 

--- 192.168.1.251 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 4.6/4.7/5.1 ms

 

but if i use HQ server IP as source to ping, the connection failed.
exe ping-options source 10.0.100.60

exe ping 192.168.1.251

PING 192.168.1.251 (192.168.1.251): 56 data bytes

--- 192.168.1.251 ping statistics ---

5 packets transmitted, 0 packets received, 100% packet loss

 

any clue how can i resolve this? i have been checking on this for few days.

seshuganesh

Hi Team,

 

Can you ping from c fortigate to c server?
Once check it.

Also provide me the information of destination ip address and :

get router info routing-table details (execute this command and share us the output)

dave-teoh

Hi, Yes, i'm able to ping from C fortigate to C Server.

 

IP information for both HQ and C

HQ WAN IP : 129.126.136.124

HQ Fortigate: 10.0.100.1
HQ Server : 10.0.100.60

 

C WAN IP: 151.192.57.82

C Fortigate: 192.168.1.254
C Server IP: 192.168.1.251

 

(From C fortigate)

# get router info routing-table details

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 151.192.57.81, wan1, [1/0]
S 10.0.100.0/24 [10/0] via CCECC-M1 tunnel 129.126.136.124, [1/0]
C 151.192.57.80/30 is directly connected, wan1
C 192.168.1.0/24 is directly connected, lan

 

(From HQ fortigate)- we can see multiple S2S connections here

# get router info routing-table details

Routing table for VRF=0

S* 0.0.0.0/0 [10/0] via 129.126.136.121, wan1

S 10.0.0.0/24 [10/0] is directly connected, Ent-M1

C 10.0.100.0/24 is directly connected, lan

S 10.212.134.0/24 [10/0] is directly connected, ssl.root

C 129.126.136.120/29 is directly connected, wan1

S 192.168.0.0/24 [10/0] is directly connected, HSL-M1

S 192.168.1.0/24 [10/0] is directly connected, Ent-M1

                              [10/0] is directly connected, CCECC-M1

S 192.168.10.0/24 [10/0] is directly connected, HSL-M1

                              [10/0] is directly connected, CCECC-M1

seshuganesh

Hi Team,

 

If you are able to ping from c fortigate to c server, then please enable NAT in VPN to LAN rule in C fortigate, you should be able to ping.

It should work

dave-teoh

Hi Seshuganesh,

 

I have tried enable NAT for VPN to LAN policy rule but it still not able to ping from HQ server to C Server.

 

In my HQ fortigate, i have multiple S2S VPN connection to other branch. One of the remote subnet is using the same subnet as C network ( 192.168.1.0/24).  i'm wondering if this can cause conflict to VPN connection to C Server?


See below text in bold.

 

(From HQ fortigate)- we can see multiple S2S connections here

# get router info routing-table details

Routing table for VRF=0

S* 0.0.0.0/0 [10/0] via 129.126.136.121, wan1

C 10.0.100.0/24 is directly connected, lan

C 129.126.136.120/29 is directly connected, wan1

S 192.168.1.0/24  [10/0] is directly connected, Ent-M1

                                    [10/0] is directly connected, CCECC-M1

 

 

 

Rathan_FTNT
Staff
Staff

Hello,

Please share the output of below command :

(After running the below set of commands please try to ping the remote site from the local network)

diag deb reset
diag deb flow filter clear
diag deb flow filter saddr x.x.x.x
diag deb flow filter daddr y.y.y.y
diag debug flow filter proto 1
diag deb flow trace start 200
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diag deb en
After capturing the output, to disable debug clear

diag deb dis

x.x.x.x is the source ip
y.y.y.y is the destination IP



Putty 2

diag sniffer packet any " host x.x.x.x and host y.y.y.y " 6 0 a


after capturing the logs   press "CTRL + C" to stop the debug

EMEA TAC Engineer
dave-teoh

Hi Rathan,

 

may i know the set of command need to run in HQ or C fortigate ?

dave-teoh

Hi Rathan,

 

I'm running the command in HQ fortigate

 

Please see below debug output. my understanding to the output is it seems that the connection is trying to go out to another VPN tunnel that has a similar remote subnet as C network. 

Is it possible that this is due to conflict of same remote subnet for two remote location? both remote subnet is using 192.168.1.0/24 network. 

 

ENTM1-FG100D3G17801676 # id=20085 trace_id=1 func=print_pkt_detail line=5664 msg="vd-root:0 received a packet(proto=1, 10.0.100.60:1->192.168.1.251:2048) from lan. type=8, code=0, id=1, seq=289."

id=20085 trace_id=1 func=init_ip_session_common line=5834 msg="allocate a new session-00100a6b"

id=20085 trace_id=1 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.1.251 via Ent-M1"

id=20085 trace_id=1 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 0)"

id=20085 trace_id=2 func=print_pkt_detail line=5664 msg="vd-root:0 received a packet(proto=1, 10.0.100.60:1->192.168.1.251:2048) from lan. type=8, code=0, id=1, seq=290."

id=20085 trace_id=2 func=init_ip_session_common line=5834 msg="allocate a new session-00100a71"

id=20085 trace_id=2 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.1.251 via Ent-M1"

id=20085 trace_id=2 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 0)"

id=20085 trace_id=3 func=print_pkt_detail line=5664 msg="vd-root:0 received a packet(proto=1, 10.0.100.60:1->192.168.1.251:2048) from lan. type=8, code=0, id=1, seq=291."

id=20085 trace_id=3 func=init_ip_session_common line=5834 msg="allocate a new session-00100a7a"

id=20085 trace_id=3 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.1.251 via Ent-M1"

id=20085 trace_id=3 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 0)"

id=20085 trace_id=4 func=print_pkt_detail line=5664 msg="vd-root:0 received a packet(proto=1, 10.0.100.60:1->192.168.1.251:2048) from lan. type=8, code=0, id=1, seq=292."

id=20085 trace_id=4 func=init_ip_session_common line=5834 msg="allocate a new session-00100a81"

id=20085 trace_id=4 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.1.251 via Ent-M1"

id=20085 trace_id=4 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 0)"