Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ThomasP84
New Contributor II

Created on ‎03-22-2023 06:25 AM Edited on ‎03-22-2023 06:48 AM

Cannot ping remote devices behind their gateway

Hi there,

 

I have a FG60F on which I've setup a custom IPsec VPN to our main office that has a SonicWall NSA2600.

The VPN is working / up. I can ping the remote LAN gateway address, but nothing behind that. Both directions are affected.


Here some details:

 

FG60F (Remote site, behind NAT)

Firmware: 6.4.11, updated from 6.4.10 (but didn't help)

LAN1: 192.168.40.1/24

PC1: 192.168.40.2/24

 

Static route

config router static
edit 2
set dst 10.13.25.0 255.255.255.0
set device "xxxx"
next
end

 

Firewall policies

edit 10
set name "VPN > Local"
set uuid d42029c4-9d8b-51ed-fd1d-a746d24d2fa5
set srcintf "VPN interface"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 11
set name "Local > VPN"
set uuid 0e55778e-9d8c-51ed-5a53-1db42ef0823c
set srcintf "internal"
set dstintf "VPN interface"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next

 

SonicWall (Main office, behind NAT)

LAN1: 10.13.25.1/24

PC1: 10.13.25.103/24

 

I've set up the IPsec profile, then created the static route (on the FG) and finally the firewall policies.

 

Ping from Main office PC1 (10.13.25.103) to remote site LAN1 (192.168.40.1) is ok.

Ping from Main office PC1 (10.13.25.103) to remote site PC1 (192.168.40.2) is not working.

 

and vice versa

 

Ping from remote site PC1 (192.168.40.2) to Main office LAN1 (10.13.25.1) is ok.

Ping from remote site PC1 (192.168.40.2) to Main office PC1 (10.13.25.103) is not working.

 

On SonicWall the firewall policies are created automatically when the IPsec profile is enabled.

 

We have a FG40F in field (without that issue), those config I've compared to the FG60F config, but I could not find any difference. Maybe I've spent too much time on solving that issue on my own and I am blind for the difference.

I think it only must be a little config step I've missed.

A second FG60F I've configured the same way as the first one has the same issue, so it must be a config thing.

 

I am not sure if I am provided enough details. If so, just reply what you need.

 

Thanks for any support on that issue.

Labels:
3756
0 Kudos
1 Solution
ThomasP84
New Contributor II
In response to akristof

Created on ‎03-27-2023 01:45 AM

Thanks for that hint. I enabled the NAT like you mentioned. Then ping from office to remote network was possible.

For the other direction (remote > office) I had to create a NAT policy on the SonicWall (office device).

 

I am very spoiled from years of configuring SonicWall VPNs. Most of required policies for VPN are created automatically. Now on on the Fortigate I have to do all on my own.

 

Thank you!

View solution in original post

3696
0 Kudos
5 REPLIES 5
adambomb1219
SuperUser
SuperUser

Created on ‎03-22-2023 07:49 AM

What is the gateway for PC1?  Is it the SonicWall?   A layer3 switch?  Something else?  Sounds like a route for Main 10.13.25.X is missing from the remote site somewhere.

3740
0 Kudos
ThomasP84
New Contributor II
In response to adambomb1219

Created on ‎03-27-2023 01:47 AM

Yes, the SonicWall is the gateway for PC1.

In the end it was a missing NAT configuration.

 

Thanks anyway for your quick reply :)

3696
0 Kudos
akristof
Staff
Staff

Created on ‎03-22-2023 08:52 AM

Hello,

Quick packet capture on FortiGate should tell what is going on. Maybe try enable NAT on policy VPN>LAN, just in case default-gw is other device.

Adrian
3738
ThomasP84
New Contributor II
In response to akristof

Created on ‎03-27-2023 01:45 AM

Thanks for that hint. I enabled the NAT like you mentioned. Then ping from office to remote network was possible.

For the other direction (remote > office) I had to create a NAT policy on the SonicWall (office device).

 

I am very spoiled from years of configuring SonicWall VPNs. Most of required policies for VPN are created automatically. Now on on the Fortigate I have to do all on my own.

 

Thank you!

3697
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎03-27-2023 11:42 PM

basically I'd say it was a missing routing issue. The PC has the Sonic Wall als default gw so the sonic wall has to have a route back to your vpn or you will not get a ping reply because it would hit the default route on sonicwall. 

Enabling NAT is a workaround for this because packets hit the pc (and the sonicwall) no longer with your vpn client ip but with a NAT ip and replys are NATed back then.

The other way would be to have a static route to your vpn client on that pc (which would only make sense if that's site2site or dialup with mode config.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
3675
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.