Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
melankadilsara2
New Contributor

Created on ‎10-14-2023 09:41 AM Edited on ‎10-14-2023 12:02 PM

Can't ping remote subnet through IPsec VPN

Hi,

 

I'm trying to build a network for my university project. I have a network which looks like below

1.jpg

I have configured an IPsec tunnel from HQ-FW to BR-FW. I have added the relevant local subnets when configuring the tunnels but I can't seem to ping the local subnet of BR-FW from HQ-FW and vice versa though the tunnel is up.

 

I have configured OSPF between HQ-EDGE and BR-EDGE routers and they have routes for the networks as below

 

HQ-EDGE = 192.168.210.0/28 and 10.10.10.0/24

BR-EDGE = 192.168.230.0/28 and 10.10.10.0/24

 

Could you please tell me what seems to be the issue? Any guidance is very appreciated.

Thanks.

Labels:
559
0 Kudos
4 REPLIES 4
dbu
Staff
Staff

Created on ‎10-14-2023 11:41 AM

Hi @melankadilsara2 ,

I understand that tunnel is up but you are not able to ping the remote network. 

Please verify the OSPF configuration and the configured network prefixes. 

 

Here is some commands to troubleshoot your problem:

get router info routing-table ospf

diagnose vpn ike gateway list

diagnose vpn tunnel list

 

Fortigate - How to add IP addresses and enable OSPF on VPN Tunnel interfaces - YouTube

Technical Tip: OSPF with IPSec VPN for network red... - Fortinet Community

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
536
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎10-14-2023 01:29 PM

So both HQ-EDGE and BR-EDGE are in the same 10.10.10.0/24 network. Are they connected each other over the subnet like HQ-EDGE has 10.10.10.1 and BR-EDGE has 10.10.10.2 then they can ping each other?

If so, you don't need any IPsec tunnel between those FGTs. You just need to route from/to HQ network to/from BR network.

 

But if you or your instructor knows the fact no need for the tunnel but the tunnel is required just to learn how to set up the tunnel and let OSPF exchange routes between both sides, that's of course doable.

But in that case OSFP has to be set up between FGTs, not between two EDGEs. Because the tunnel creates a direct pipe between FGTs so those EDGEs wouldn't be a factor or bypassed for routing between HQ network and BR network.

Or probably the setup of your project (intention of the instructor) is different and not showing in the diagram. Likely drawing a proper diagram is a part of your project too.

 

Toshi

 

516
0 Kudos
pmudgal
Staff
Staff

Created on ‎10-15-2023 06:59 AM

Hi,

 

Thank you for posting you query on forum.

 

In order to isolate the issue, kindly share the routing table for the destinations on both the FGTs respectively.

#get router info routing-table details

Then collect the sniffer on source FGT and destination FGT in order to understand the flow, refer below document:

REF: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313

 

Also make sure when you are doing ping through FGT, you need to take ping-options "source" IP that should be the part of ipsec phase 2 subnets.

REF: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Not-able-to-ping-the-Ipsec-VPN-remot...

 

Let us know if you need further support.

 

Best Regards,

Piyush

498
0 Kudos
hbac
Staff
Staff

Created on ‎10-16-2023 08:51 AM

Hi @melankadilsara2.,

 

Please run debug flow by following this article and try to ping again: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 192.168.3.1             <<< Destination IP
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

 

Run 'di deb dis' to disable the debug. 

 

Regards, 

449
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.