I have a FG60F on which I've setup a custom IPsec VPN to our main office that has a SonicWall NSA2600.
The VPN is working / up. I can ping the remote LAN gateway address, but nothing behind that. Both directions are affected.
Here some details:
FG60F (Remote site, behind NAT)
Firmware: 6.4.11, updated from 6.4.10 (but didn't help)
config router static edit 2 set dst 10.13.25.0 255.255.255.0 set device "xxxx" next end
edit 10 set name "VPN > Local" set uuid d42029c4-9d8b-51ed-fd1d-a746d24d2fa5 set srcintf "VPN interface" set dstintf "internal" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 11 set name "Local > VPN" set uuid 0e55778e-9d8c-51ed-5a53-1db42ef0823c set srcintf "internal" set dstintf "VPN interface" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next
SonicWall (Main office, behind NAT)
I've set up the IPsec profile, then created the static route (on the FG) and finally the firewall policies.
Ping from Main office PC1 (10.13.25.103) to remote site LAN1 (192.168.40.1) is ok.
Ping from Main office PC1 (10.13.25.103) to remote site PC1 (192.168.40.2) is not working.
and vice versa
Ping from remote site PC1 (192.168.40.2) to Main office LAN1 (10.13.25.1) is ok.
Ping from remote site PC1 (192.168.40.2) to Main office PC1 (10.13.25.103) is not working.
On SonicWall the firewall policies are created automatically when the IPsec profile is enabled.
We have a FG40F in field (without that issue), those config I've compared to the FG60F config, but I could not find any difference. Maybe I've spent too much time on solving that issue on my own and I am blind for the difference.
I think it only must be a little config step I've missed.
A second FG60F I've configured the same way as the first one has the same issue, so it must be a config thing.
I am not sure if I am provided enough details. If so, just reply what you need.
basically I'd say it was a missing routing issue. The PC has the Sonic Wall als default gw so the sonic wall has to have a route back to your vpn or you will not get a ping reply because it would hit the default route on sonicwall.
Enabling NAT is a workaround for this because packets hit the pc (and the sonicwall) no longer with your vpn client ip but with a NAT ip and replys are NATed back then.
The other way would be to have a static route to your vpn client on that pc (which would only make sense if that's site2site or dialup with mode config.
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.