Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ThomasP84
New Contributor II

Cannot ping remote devices behind their gateway

Hi there,

 

I have a FG60F on which I've setup a custom IPsec VPN to our main office that has a SonicWall NSA2600.

The VPN is working / up. I can ping the remote LAN gateway address, but nothing behind that. Both directions are affected.


Here some details:

 

FG60F (Remote site, behind NAT)

Firmware: 6.4.11, updated from 6.4.10 (but didn't help)

LAN1: 192.168.40.1/24

PC1: 192.168.40.2/24

 

Static route

config router static
edit 2
set dst 10.13.25.0 255.255.255.0
set device "xxxx"
next
end

 

Firewall policies

edit 10
set name "VPN > Local"
set uuid d42029c4-9d8b-51ed-fd1d-a746d24d2fa5
set srcintf "VPN interface"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 11
set name "Local > VPN"
set uuid 0e55778e-9d8c-51ed-5a53-1db42ef0823c
set srcintf "internal"
set dstintf "VPN interface"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next

 

SonicWall (Main office, behind NAT)

LAN1: 10.13.25.1/24

PC1: 10.13.25.103/24

 

I've set up the IPsec profile, then created the static route (on the FG) and finally the firewall policies.

 

Ping from Main office PC1 (10.13.25.103) to remote site LAN1 (192.168.40.1) is ok.

Ping from Main office PC1 (10.13.25.103) to remote site PC1 (192.168.40.2) is not working.

 

and vice versa

 

Ping from remote site PC1 (192.168.40.2) to Main office LAN1 (10.13.25.1) is ok.

Ping from remote site PC1 (192.168.40.2) to Main office PC1 (10.13.25.103) is not working.

 

On SonicWall the firewall policies are created automatically when the IPsec profile is enabled.

 

We have a FG40F in field (without that issue), those config I've compared to the FG60F config, but I could not find any difference. Maybe I've spent too much time on solving that issue on my own and I am blind for the difference.

I think it only must be a little config step I've missed.

A second FG60F I've configured the same way as the first one has the same issue, so it must be a config thing.

 

I am not sure if I am provided enough details. If so, just reply what you need.

 

Thanks for any support on that issue.

1 Solution
ThomasP84
New Contributor II

Thanks for that hint. I enabled the NAT like you mentioned. Then ping from office to remote network was possible.

For the other direction (remote > office) I had to create a NAT policy on the SonicWall (office device).

 

I am very spoiled from years of configuring SonicWall VPNs. Most of required policies for VPN are created automatically. Now on on the Fortigate I have to do all on my own.

 

Thank you!

View solution in original post

5 REPLIES 5
adambomb1219
Contributor III

What is the gateway for PC1?  Is it the SonicWall?   A layer3 switch?  Something else?  Sounds like a route for Main 10.13.25.X is missing from the remote site somewhere.

ThomasP84

Yes, the SonicWall is the gateway for PC1.

In the end it was a missing NAT configuration.

 

Thanks anyway for your quick reply :)

akristof
Staff
Staff

Hello,

Quick packet capture on FortiGate should tell what is going on. Maybe try enable NAT on policy VPN>LAN, just in case default-gw is other device.

Adrian
ThomasP84
New Contributor II

Thanks for that hint. I enabled the NAT like you mentioned. Then ping from office to remote network was possible.

For the other direction (remote > office) I had to create a NAT policy on the SonicWall (office device).

 

I am very spoiled from years of configuring SonicWall VPNs. Most of required policies for VPN are created automatically. Now on on the Fortigate I have to do all on my own.

 

Thank you!

sw2090
Honored Contributor

basically I'd say it was a missing routing issue. The PC has the Sonic Wall als default gw so the sonic wall has to have a route back to your vpn or you will not get a ping reply because it would hit the default route on sonicwall. 

Enabling NAT is a workaround for this because packets hit the pc (and the sonicwall) no longer with your vpn client ip but with a NAT ip and replys are NATed back then.

The other way would be to have a static route to your vpn client on that pc (which would only make sense if that's site2site or dialup with mode config.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors