Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiG-User
New Contributor II

Fortigate 7.4.0 IPsec VPN is not creating Static Route

Hi,

I am trying to create "Overlapping subnets for a VPN tunnel" The VPN is UP, but there is no traffic flowing through Tunnel.

I have create Policies but when I checked the Route table, there was no Static Route created by the Wizard, I tried recreating the Tunnel still no Route... Created "Custom", "The remote Site behind NAT" etc. etc. Its not creating Static route.

I tried manually creating static routes still no traffic flow.

Remote LAN: 10.20.30.0/24
Nated IP: 100.100.100.100
Gateway : 70.70.70.70

Local LAN, 192.168.45.0/24

Any help/pointers will be appreciated

Thank you

1 Solution
Waloo5
New Contributor III

Hi,

you can refeere to this document:

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/426761/site-to-site-vpn-with...

To configure the IP Pool:

  1. Go to Policy & Objects > IP Pools and navigate to the IP Pool tab.
  2. Click Create new.
  3. For Name, enter .........
  4. For Type, select Overload
  5. Enter the External IP address/range 100.100.100.100 – 100.100.100.100, t
  6. Click OK.
Amir

View solution in original post

Amir
17 REPLIES 17
ozkanaltas
Valued Contributor III

Hello @FortiG-User ,

 

Can you share all the configuration about this vpn tunnel with us? 

 

Also, did the remote site configure their site according to nat IP right? 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
FortiG-User

Hi,

Thank you for your reply..

Is there a command to print the whole Tunnel config output?  Will share the same here..

Yes the other side has created a NATed cnfig on their side.

Thank you

ozkanaltas
Valued Contributor III

Hello @FortiG-User ,

 

 

config vpn ipsec phase1-interface

edit <tunnel_name>

show

end

 

config vpn ipsec phase2-interface

edit <phase2_name>

show

end

 

Also, can you share the policy and route configuration? 

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
FortiG-User

Hi,
Thank you for your reply...

Following is the output

config vpn ipsec phase1-interface
edit "IPs_VPN_Tunnel"
set interface "wan2"
set ike-version 2
set keylife 28800
set peertype any
set net-device disable
set proposal aes256-sha1
set dhgrp 5
set remote-gw 70.70.70.70
set psksecret ENC YWjGJgTsaIB/S+7LmLZczlX7jtV3IdjMt4yBcRpM7HAeeB9fLSqI5u27rIKEeYBsGfc4BtC47wHqtj5a9VGhA/QAaoGUgT5y8BLUF9K6hamJ1aFBOt4Nhvzwb7fO0UWJ1PdGGg4g9sVZe/5IvXCvTbzatn3x8ci82Dl7ST+DiMylOCoVI0l7LiujoqlXMkg==
next
end


config vpn ipsec phase2-interface
edit "IPs_VPN_Tunnel"
set phase1name "IPs_VPN_Tunnel"
set proposal aes256-sha1
set dhgrp 5
set keylifeseconds 3600
set src-subnet 100.100.100.100 255.255.255.255
set dst-subnet 10.20.30.0 255.255.255.0
next
end

Thank you

ozkanaltas
Valued Contributor III

Hello @FortiG-User ,

 

Your vpn configuration seems correct. 

 

If you configured the policy and route like this. It should be working. 

 

Static Route : 

Destination: 10.20.30.0/24

Interface: Ipsec Interface 

 

Policy: 

Source interface: x.interface

Destination interface: Tunnel_interface 

Source: x.x.x.x

Destination: 10.20.30.0/24

Nat: Ip pool - 100.100.100.100

 

If your configuration is like this, you need to check the other side. 

 

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
FortiG-User

Thank you very much for all your help..

Waloo5
New Contributor III

Hi,

you can refeere to this document:

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/426761/site-to-site-vpn-with...

To configure the IP Pool:

  1. Go to Policy & Objects > IP Pools and navigate to the IP Pool tab.
  2. Click Create new.
  3. For Name, enter .........
  4. For Type, select Overload
  5. Enter the External IP address/range 100.100.100.100 – 100.100.100.100, t
  6. Click OK.
Amir
Amir
FortiG-User
New Contributor II

Thank you very much... That did the trick... and All set now....

Thank you very much for all your help.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors