FortiGate doesn't see a domain controller over IPSec VPN

FG_User_24 · ‎12-23-2024

Hi Fortinet Community,

There are two sites (on-prem and Azure) interconnected via IPSec VPN tunnel.

Each site has one domain controller.

Remote users when connect to on-prem get authenticated against the on-prem domain controller.

The future plan is decommission on-prem infrastructure.

However, when I try to point FortiGate router to the Azure domain controller there is no connection to it.

1) Is it normal that FortiGate router itself doesn't see the other side of the VPN tunnel?

2) Is it possible to make it communicate with resources running on the other side of the VPN tunnel?

Thanks.

dingjerry_FTNT · ‎12-25-2024

Hi @FG_User_24 ,

The FGT self-originated traffic will use the egress interface IP as the source IP. If the egress interface does not have an IP, FortiGate will pick up one of another interface IP as the source IP.

Regards,

Jerry

Toshi_Esumi · ‎12-26-2024

I'm guessing it would pick the largest interface IP (which is likely a private IP) if the tunnel interface doesn't have an IP configured. It probably wouldn't pick the outside interface IP the tunnel is going out (because it would likely break the tunnel since the same IP is coming from both inside and outside of the tunnel). But otherwise it could be a public depending on the config.
But that's why I keep suggesting you should sniff the outgoing LDAP packets to see what IP it's picking up and verify the other side has a route back. It's so easy thing to do.
   diag sniffer packet any 'tcp and port 389' 4 0

You might need to disable asic offloading for the IPSec's outgoing policy though to see them in sniffing.
    config firewall policy
      edit n [ -- policy ID]
        set auto-asic-offload disable
      next
    end
Just don't forget to re-enable it once it's done. It would affect to the performance if you don't.

Toshi

dingjerry_FTNT · ‎01-03-2025

"I'm guessing it would pick the largest interface IP (which is likely a private IP) if the tunnel interface doesn't have an IP configured."

FGT randomly picks up one interface IP if no IP is assigned to the IPSec VPN interface.

Regards,

Jerry

Toshi_Esumi · ‎01-03-2025

Thank you for your definitive answer, @dingjerry_FTNT

Toshi

FG_User_24 · ‎01-02-2025

Just in case someone needs the same in the future.

This is how it was resolved.

edit "DC-IN-AZURE"
set server "10.55.35.4"
set source-ip "192.168.7.5" <== this is what was added in the CLI
set cnid "sAMAccountName"
set dn "dc=company,dc=name"
set type regular

Issue has been resolved.

dingjerry_FTNT · ‎01-03-2025

Hi @FG_User_24 ,

Can you explain what "192.168.1.5" is?

And can you let us know whether you have specific source/destination addresses applied in your VPN firewall policy on FGT and the remote peer?

I guess that you do have specific source/destination addresses in policies on both VPN peers so if you do not specific the source IP in the LDAP server settings, and no IP is assigned to your VPN interfaces, FGT will pick up a random interface IP which is not allowed by the policies.

Regards,

Jerry

FG_User_24 · ‎01-03-2025

Sorry, made a typo.

Not 192.168.1.5 but 192.168.7.5.

192.168.7.5 is an IP address of the interface on the FortiGate.

dingjerry_FTNT · ‎01-03-2025

TBH, I am interested in the firewall policies on both VPN peers.

Regards,

Jerry

FortiGate doesn't see a domain controller over IPSec VPN

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website