- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate doesn't see a domain controller over IPSec VPN
Hi Fortinet Community,
There are two sites (on-prem and Azure) interconnected via IPSec VPN tunnel.
Each site has one domain controller.
Remote users when connect to on-prem get authenticated against the on-prem domain controller.
The future plan is decommission on-prem infrastructure.
However, when I try to point FortiGate router to the Azure domain controller there is no connection to it.
1) Is it normal that FortiGate router itself doesn't see the other side of the VPN tunnel?
2) Is it possible to make it communicate with resources running on the other side of the VPN tunnel?
Thanks.
- Labels:
-
FortiGate
- « Previous
-
- 1
- 2
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @FG_User_24 ,
The FGT self-originated traffic will use the egress interface IP as the source IP. If the egress interface does not have an IP, FortiGate will pick up one of another interface IP as the source IP.
Jerry
Created on ‎12-26-2024 05:25 PM Edited on ‎12-26-2024 05:38 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm guessing it would pick the largest interface IP (which is likely a private IP) if the tunnel interface doesn't have an IP configured. It probably wouldn't pick the outside interface IP the tunnel is going out (because it would likely break the tunnel since the same IP is coming from both inside and outside of the tunnel). But otherwise it could be a public depending on the config.
But that's why I keep suggesting you should sniff the outgoing LDAP packets to see what IP it's picking up and verify the other side has a route back. It's so easy thing to do.
diag sniffer packet any 'tcp and port 389' 4 0
You might need to disable asic offloading for the IPSec's outgoing policy though to see them in sniffing.
config firewall policy
edit n [ -- policy ID]
set auto-asic-offload disable
next
end
Just don't forget to re-enable it once it's done. It would affect to the performance if you don't.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"I'm guessing it would pick the largest interface IP (which is likely a private IP) if the tunnel interface doesn't have an IP configured."
FGT randomly picks up one interface IP if no IP is assigned to the IPSec VPN interface.
Jerry
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your definitive answer, @dingjerry_FTNT
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just in case someone needs the same in the future.
This is how it was resolved.
edit "DC-IN-AZURE"
set server "10.55.35.4"
set source-ip "192.168.7.5" <== this is what was added in the CLI
set cnid "sAMAccountName"
set dn "dc=company,dc=name"
set type regular
Issue has been resolved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @FG_User_24 ,
Can you explain what "192.168.1.5" is?
And can you let us know whether you have specific source/destination addresses applied in your VPN firewall policy on FGT and the remote peer?
I guess that you do have specific source/destination addresses in policies on both VPN peers so if you do not specific the source IP in the LDAP server settings, and no IP is assigned to your VPN interfaces, FGT will pick up a random interface IP which is not allowed by the policies.
Jerry
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, made a typo.
Not 192.168.1.5 but 192.168.7.5.
192.168.7.5 is an IP address of the interface on the FortiGate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TBH, I am interested in the firewall policies on both VPN peers.
Jerry

- « Previous
-
- 1
- 2
- Next »