Hello,
i try to ping between 2 ipsec tunnel IPs, but it does not work.
I have a FGT 101-E with these config:
config system interface
edit "VPN_W" set vdom "root" set ip 10.102.0.6 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.102.0.5 255.255.255.255 set snmp-index 42 set interface "wan2" next end
and a FGT 60-D with these config:
config system interface
edit "VPN_N" set vdom "root" set ip 10.102.0.5 255.255.255.255 set allowaccess ping https http set type tunnel set remote-ip 10.102.0.6 255.255.255.255 set alias "VPN-Verbindung zur N" set snmp-index 15 set interface "wan1" next end
If i try to execute ping 10.102.0.6 an FGT 60-D or execute ping 10.102.0.5 on FGT 101-E, it does not work.
Am i correct in the assumption, that i do not need any policy, because ping is enabled at the interface?
Thanks
Markus
Markus
--
Fortigate 101E
Fortigate 30E
Solved! Go to Solution.
What did you configur in phase2? Using the default 0/0<->0/0, then you don't have to do anything extra and should be able to ping the opposite side. But if you set anything narrower than the default, you the set of selectors need to include 10.102.0.5/32<->10.102.0.6/32.
Routing is not an issue because it's automatically injected into the routing-table.
Those pings go inside the tunnel, therefore the tunnel needs to be up. I don't remember exactly but I think the tunnel doesn't come up without associating policies on both sides. Is there any reason you need not to have policies to test a new tunnel?
Hello Toshi,
thanks for reply.
I'm loking for a way to check the tunnel without the need of systems behind the tunnel endpoints. Ping between the nets behind the tunnel is possible, but i want to ping the IPs of tunnel interfaces.
Is it possible from the firewall?
Thanks
Markus
Markus
--
Fortigate 101E
Fortigate 30E
Did you add the tunnel IP set for the phase2 net selectors?
Hello Toshi,
thanks for your answer, but I don't know what you mean. Do I need a phase2 for a transfer net between the IPs I've set at the tunnel interfaces? And what should be local and remote net?
I've change at the tunnel interface the remote IP Netmask to 255.255.255.252. I can see it at the routing table of my firewall, the net ist directlyconnected to the VPN Interface. I have a local policy for ping from these interface, but I can not ping.
What did I miss? Or is it not possible to ping the remote-ip?
Thanks
Markus
Markus
--
Fortigate 101E
Fortigate 30E
What did you configur in phase2? Using the default 0/0<->0/0, then you don't have to do anything extra and should be able to ping the opposite side. But if you set anything narrower than the default, you the set of selectors need to include 10.102.0.5/32<->10.102.0.6/32.
Routing is not an issue because it's automatically injected into the routing-table.
Hello Toshi,
thank you for your help. It works with a phase2, of course. I get lost at the problem, so i cant see the obvious.
Thanks
Markus
Markus
--
Fortigate 101E
Fortigate 30E
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.