Hello,
I set up IPSec connections for roaming clients with split-tunneling. Although the connections succeed phase 2 and R_U_THERE packets do cross the tunnel, there is no packet flow between client and the Fortigate. Neither one can ping the other through the tunnel.
Another fact which I do not understand. Although split-tunnel and mode config is selected, the Forticlient 7.2.4 alters the default route on the Windows 10 / 11 clients to the tunnel.
The dial-in client´s LAN network address is 192.168.0.0/24. The HQ network is 192.168.0.0/16. This will also lead to routing problems. Is it possible to map the HQ IP-Address [192.168.0.0/16] within the tunnel to another network (e.g. 192.0.0.0/16) ?
For testing purposes we altered the accessible networks into another network [10.0.0.0/8] which is also connected to the Fortigate. But that did not lead to data flow through the tunnel.
gateway
name: 'EMS_Test_0'
local-gateway: 123.45.678.123:4500 (static)
remote-gateway: 123.46.78.123:62890 (dynamic)
dpd-link: on
mode: ike-v1
interface: 'port10' (16) vrf:0
rx packets: 177 bytes: 29012 errors: 259
tx packets: 1051 bytes: 3758 errors: 0
dpd: on-idle/negotiated idle: 30000ms retry: 3 count: 0
nat traversal mode: silent RFC 3947
selectors
name: 'EMS_Test'
auto-negotiate: disable
mode: tunnel
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:198.18.27.2-198.18.27.2:0
SA
lifetime/rekey: 43200/43179
mtu: 1422
tx-esp-seq: 41a
replay: enabled
qat: 0
inbound
spi: bcb1176a
enc: aes-cb 88cffeadf2cf9ef785047903aedada1181b1a735f835e8b1b02960692d0ec209
auth: sha256 ad1ac6fb0b720e5c11fb63d2801e026ccd3dd48c4efcd450409c0d08c39fbf96
outbound
spi: a81eae67
enc: aes-cb 675dcf068706ce66989f3da5455135798d850abc69c0da8648018800288adf70
auth: sha256 41d2b1783f3073c0e9ca2611b343049460176b9b6c06e48ae3a9416d65bcc261
NPU acceleration: encryption(outbound) decryption(inbound)
best regards
Martin
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can check this document: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/426761/site-to-site-vpn-with...
You can check this document: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/426761/site-to-site-vpn-with...
Hi @mhaneke,
When connected to the VPN, do you see 10.0.0.0/8 in your routing table (route print)? If yes, you can run debug flow and try to generate traffic to 10.0.0.0/8. Please refer to this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.