Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BensonLEI
Contributor

Default route to GCP Site-to-Site IPsec VPN Tunnel failed

Hi, guys,

 

I am using Fortigate 60E with FortiOS v7.0.1, and a Site-to-Site IPsec VPN tunnel is formed with GCP Gateway;

 

My idea:

1. I want some LAN users to access internet through GCP network ( a host with GCP subnet, as the LAN gateway 

    (10.192.10.254/32); 

2. The specified LAN subnet (10.10.1.0/24) has default route (configured in Fortigate 60E) is pointed to GCP network ( host with GCP 

3.  The policy route in Fortigate 60E : 

     10.10.1.0/24 (source) --> 0.0.0.0/0 ---> 10.192.10.254 (next hop) ---> Internet

4.  Security Policy is set to allow all to GCP.

5.  10.192.10.254 is a host in GCP, and network traffic NATed and forwarded to internet has been configured and worked.

 

 

 

 

Problems found as below :

 

id=20085 trace_id=5619 func=ipsecdev_hard_start_xmit line=634 msg="enter IPSec interface Remote-GCP-VPN" id=20085 trace_id=5619 func=_do_ipsecdev_hard_start_xmit line=238 msg="output to IPSec tunnel Remote-GCP-VPN" id=20085 trace_id=5619 func=ipsec_common_output4 line=870 msg="No matching IPsec selector, drop"

 

 

GCP issue ? please advice and recommendation ?

 

 

1 REPLY 1
abarushka
Staff
Staff

Hello,

 

Log message indicates that traffic is not matching IP selectors configured on FortiGate side. Please make sure that correct IP selectors configured under IPsec phase 2 selectors. Please find an attached file.phase2.JPG

FortiGate
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors