Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nknit
New Contributor

Can not ping tunnel interface IPs

Hello,

 

i try to ping between 2 ipsec tunnel IPs, but it does not work.

I have a FGT 101-E with these config:

config system interface

edit "VPN_W" set vdom "root" set ip 10.102.0.6 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.102.0.5 255.255.255.255 set snmp-index 42 set interface "wan2" next end

 

and a FGT 60-D with these config:

config system interface

edit "VPN_N" set vdom "root" set ip 10.102.0.5 255.255.255.255 set allowaccess ping https http set type tunnel set remote-ip 10.102.0.6 255.255.255.255 set alias "VPN-Verbindung zur N" set snmp-index 15 set interface "wan1" next end

 

If i try to execute ping 10.102.0.6 an FGT 60-D or execute ping 10.102.0.5 on FGT 101-E, it does not work.

Am i correct in the assumption, that i do not need any policy, because ping is enabled at the interface?

 

Thanks

 

Markus

Markus

--

Fortigate 101E

Fortigate 30E

1 Solution
Toshi_Esumi
Esteemed Contributor II

What did you configur in phase2? Using the default 0/0<->0/0, then you don't have to do anything extra and should be able to ping the opposite side. But if you set anything narrower than the default, you the set of selectors need to include 10.102.0.5/32<->10.102.0.6/32.

Routing is not an issue because it's automatically injected into the routing-table.

View solution in original post

6 REPLIES 6
Toshi_Esumi
Esteemed Contributor II

Those pings go inside the tunnel, therefore the tunnel needs to be up. I don't remember exactly but I think the tunnel doesn't come up without associating policies on both sides. Is there any reason you need not to have policies to test a new tunnel?

nknit

Hello Toshi,

 

thanks for reply.

I'm loking for a way to check the tunnel without the need of systems behind the tunnel endpoints. Ping between the nets behind the tunnel is possible, but i want to ping the IPs of tunnel interfaces.

Is it possible from the firewall?

 

Thanks

 

Markus

Markus

--

Fortigate 101E

Fortigate 30E

Toshi_Esumi
Esteemed Contributor II

Did you add the tunnel IP set for the phase2 net selectors?

nknit

Hello Toshi,

 

thanks for your answer, but I don't know what you mean. Do I need a phase2 for a transfer net between the IPs I've set at the tunnel interfaces? And what should be local and remote net?

I've change at the tunnel interface the remote IP Netmask to 255.255.255.252. I can see it at the routing table of my firewall, the net ist directlyconnected to the VPN Interface. I have a local policy for ping from these interface, but I can not ping.

What did I miss? Or is it not possible to ping the remote-ip?

 

Thanks

 

Markus

Markus

--

Fortigate 101E

Fortigate 30E

Toshi_Esumi
Esteemed Contributor II

What did you configur in phase2? Using the default 0/0<->0/0, then you don't have to do anything extra and should be able to ping the opposite side. But if you set anything narrower than the default, you the set of selectors need to include 10.102.0.5/32<->10.102.0.6/32.

Routing is not an issue because it's automatically injected into the routing-table.

nknit

Hello Toshi,

 

thank you for your help. It works with a phase2, of course. I get lost at the problem, so i cant see the obvious.

 

Thanks

 

Markus

Markus

--

Fortigate 101E

Fortigate 30E