Hi,
I'm trying to build a network for my university project. I have a network which looks like below
I have configured an IPsec tunnel from HQ-FW to BR-FW. I have added the relevant local subnets when configuring the tunnels but I can't seem to ping the local subnet of BR-FW from HQ-FW and vice versa though the tunnel is up.
I have configured OSPF between HQ-EDGE and BR-EDGE routers and they have routes for the networks as below
HQ-EDGE = 192.168.210.0/28 and 10.10.10.0/24
BR-EDGE = 192.168.230.0/28 and 10.10.10.0/24
Could you please tell me what seems to be the issue? Any guidance is very appreciated.
Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @melankadilsara2 ,
I understand that tunnel is up but you are not able to ping the remote network.
Please verify the OSPF configuration and the configured network prefixes.
Here is some commands to troubleshoot your problem:
get router info routing-table ospf
diagnose vpn ike gateway list
diagnose vpn tunnel list
Fortigate - How to add IP addresses and enable OSPF on VPN Tunnel interfaces - YouTube
Technical Tip: OSPF with IPSec VPN for network red... - Fortinet Community
So both HQ-EDGE and BR-EDGE are in the same 10.10.10.0/24 network. Are they connected each other over the subnet like HQ-EDGE has 10.10.10.1 and BR-EDGE has 10.10.10.2 then they can ping each other?
If so, you don't need any IPsec tunnel between those FGTs. You just need to route from/to HQ network to/from BR network.
But if you or your instructor knows the fact no need for the tunnel but the tunnel is required just to learn how to set up the tunnel and let OSPF exchange routes between both sides, that's of course doable.
But in that case OSFP has to be set up between FGTs, not between two EDGEs. Because the tunnel creates a direct pipe between FGTs so those EDGEs wouldn't be a factor or bypassed for routing between HQ network and BR network.
Or probably the setup of your project (intention of the instructor) is different and not showing in the diagram. Likely drawing a proper diagram is a part of your project too.
Toshi
Hi,
Thank you for posting you query on forum.
In order to isolate the issue, kindly share the routing table for the destinations on both the FGTs respectively.
#get router info routing-table details
Then collect the sniffer on source FGT and destination FGT in order to understand the flow, refer below document:
REF: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313
Also make sure when you are doing ping through FGT, you need to take ping-options "source" IP that should be the part of ipsec phase 2 subnets.
Let us know if you need further support.
Best Regards,
Piyush
Hi @melankadilsara2.,
Please run debug flow by following this article and try to ping again: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 192.168.3.1 <<< Destination IP
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable
Run 'di deb dis' to disable the debug.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.