Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dave-teoh
New Contributor

Urgent- IP Sec VPN between Fortifate 80E and 100D

Dear All Guru,

 

i need urgent help. i have a 100D (V6.2.10)  in HQ office. i was able to create Site to site VPN to two other site office which is using 100D as well.

 

Recently we have added a site office ( we called it C)  which is using 80E ( v7.0.5). i manage to create and bring up IPSEC tunnel between HQ and C.

 

from C

- C fortigate 80E able to ping HQ fortigate 100D

- C server able to ping HQ server IP

 

from HQ

- HQ Fortigate 100D able to ping C fortigate 80E

- HQ Server not able to ping C Server IP.

 

The IPSEC tunnel already up between the 2 fortigate device, both device can ping to each other.  but the server from the HQ cannot access to the C network. i have tried open entire subnet for both side access but it is still not working. any idea if i miss out any setting?  Please help!

 

 

1 Solution
kcheng

Hi Dave,

 

Good day to you. If the respective traffic is meant to go out via IPSec tunnel CCECC-M1 IPSec tunnel, then your direction of the same subnet being used in both tunnels is correct. The traffic from 10.0.100.60 has been forwarded to Ent-M1 IPSec tunnel due to the conflict:

id=20085 trace_id=1 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.1.251 via Ent-M1"

 

You may want to consider changing the IP address scheme on CCECC site, or configure NAT between the tunnel to isolate CCECC-M1 and Ent-M1 IP addresses. Please refer to the following document for the idea of NATting the remote IP:

Cookbook | FortiGate / FortiOS 6.0.0 | Fortinet Documentation Library

Cheers,
Kayzie Cheng

View solution in original post

12 REPLIES 12
kcheng

Hi Dave,

 

Good day to you. If the respective traffic is meant to go out via IPSec tunnel CCECC-M1 IPSec tunnel, then your direction of the same subnet being used in both tunnels is correct. The traffic from 10.0.100.60 has been forwarded to Ent-M1 IPSec tunnel due to the conflict:

id=20085 trace_id=1 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.1.251 via Ent-M1"

 

You may want to consider changing the IP address scheme on CCECC site, or configure NAT between the tunnel to isolate CCECC-M1 and Ent-M1 IP addresses. Please refer to the following document for the idea of NATting the remote IP:

Cookbook | FortiGate / FortiOS 6.0.0 | Fortinet Documentation Library

Cheers,
Kayzie Cheng
seshuganesh

Hi Team,

 

If destination network of two tunnels is same, traffic may go through any tunnel based on your routing decisions.

May be you need to static NAT on the other end of the firewall, so that you can use different subnet in the local firewall to differentiate the traffic.

Please check and keep us posted

 

dave-teoh

Thanks Seshuganesh,

 

i resolve this connection issues by changing one of the destination subnet. thanks and appreciate your help!!!