Good day,
IKEv2 Dial-In Clients [198.18.25.0/24] connect successfully via FortiGate to the Intranet 192.168.0.0/16.
But they cannot connect to a branch office network [172.16.0.0/16] which is also connected as a Site-2-Site VPN on that FortiGate
The firewall policies are set to "allow" accordingly for these IKEv2 clients.
The Intranet 192.168.0.0/16 can reach the destinations in 172.16.0.0/16 over that Site-2-Site VPN.
Phase 2 is up:
name=Site2Site ver=2 serial=1 XXXXXXXXXXXX:0->YYYYYYYYY:0 tun_id=YYYYYYYYYYY tun_id6=::YYYYYYYYYYY dst_mtu=1500 dpd-link=on weight=1
bound_if=16 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=0 overlay_id=0
proxyid_num=4 child_num=0 refcnt=7 ilast=1 olast=1 ad=/0
stat: rxp=10256 txp=6843 rxb=12044848 txb=1178486
dpd: mode=on-demand on=1 idle=30000ms retry=3 count=0 seqno=6
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=Site2Site proto=0 sa=1 ref=215 serial=1
src: 0:192.168.0.0-192.168.255.255:0
dst: 0:172.16.0.0-172.16.255.255:0
SA: ref=6 options=10226 type=00 soft=0 mtu=1422 expire=42810/0B replaywin=2048
seqno=1ab4 esn=0 replaywin_lastseq=0000280b qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42897/43200
dec: spi=67f82d20 esp=aes key=32 7142b02ec0f73a764fe05ddc426c6d3187a9d1cf5f6fb7acf529e28119805622
ah=sha512 key=64 b935377ec9dbc3151f19fac6ce45b014bde62eec099f6dfe80206b2d6706a9d762c27dc4cc9ef0a6e60def5e99c18657503f625f8023bba44bd0ab48d49f15ee
enc: spi=81e1ac01 esp=aes key=32 4cc44d292afe2f5ec58d2ab840d81aa74db1299ae9ee485b7753a2dd68dfe585
ah=sha512 key=64 39947745f4ed6df53885c25b6620970f8b4b6074569a052ff3638a3079f8cadd666ec4bf16de48e28c61ad30bfec7e8ee6baab0c91cce2af2e3817d60f14db85
dec:pkts/bytes=1/91, enc:pkts/bytes=418/84552
npu_flag=03 npu_rgwy=XXXXXXXXXXXX npu_lgwy=XXXXXXXXXXXX npu_selid=0 dec_npuid=1 enc_npuid=1 npu_isaidx=506 npu_osaidx=1
proxyid=IKEV2_RZ proto=0 sa=0 ref=1 serial=3
src: 0:198.18.25.1-198.18.25.254:0
dst: 0:172.16.0.0-172.16.255.255:0
proxyid=IKEv1-RZ proto=0 sa=0 ref=1 serial=4
src: 0:198.18.27.1-198.18.27.254:0
dst: 0:172.16.0.0-172.16.255.255:0
proxyid=OW-RZ proto=0 sa=1 ref=3 serial=2
src: 0:10.0.0.0-10.255.255.255:0
dst: 0:172.16.0.0-172.16.255.255:0
SA: ref=6 options=10226 type=00 soft=0 mtu=1422 expire=42840/0B replaywin=2048
seqno=6 esn=0 replaywin_lastseq=00000003 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42927/43200
dec: spi=67f82d21 esp=aes key=32 d497f58275e767a6a4ddcfdbc3fc8e5adbe417b9673b1748b10915993ffb7ffa
ah=sha512 key=64 f033beb2e23dc6cc6a0f3ae56f7b8252229518fc8179ebd35ba4d576a7de406f4580ef2572a06e680e2c13ce4fc2b61f69d5da4612fb3ff05924996ed99e5e3b
enc: spi=cf2f0f22 esp=aes key=32 0fadff9bc98c29b029739533933822edbf0622fc822d1b5ec555fb99e4ecc9fd
ah=sha512 key=64 ae6524d8699cf124840a41393fb22716d270cde989dea6b432858a5da9a4e99df61b7c5c1de614ad955ad3ffb829775843d9de6230faa8b9952c73fd8a7856da
dec:pkts/bytes=1/41, enc:pkts/bytes=2/264
npu_flag=03 npu_rgwy=154.60.97.26 npu_lgwy=212.91.225.218 npu_selid=1 dec_npuid=1 enc_npuid=1 npu_isaidx=507 npu_osaidx=2
best regards
Martin Haneke
Solved! Go to Solution.
Ensure NAT is turned off on those policies. It may be best if you do a debug flow by following these instructions: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/38044/using-the-debug-flow-t...
Hello all,
we solved the problem. Not all SA / TSi were accepted by the remote side for the following reasons:
1. Two of four SAs had not matching pairs of Enc and Hash-Algorithms.
2. The router on the other side had overlapping networks (/24 vs. /16)
3. The remote 3-rd party router had a problem building more than two SAs, when set to "manual SA creation". After correcting the subnet masks and the setting SAs creation to automatic, everythings fine.
Thank You for anticipating the problem.
best regards
Martin Haneke
Ensure NAT is turned off on those policies. It may be best if you do a debug flow by following these instructions: https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/38044/using-the-debug-flow-t...
Hello all,
we solved the problem. Not all SA / TSi were accepted by the remote side for the following reasons:
1. Two of four SAs had not matching pairs of Enc and Hash-Algorithms.
2. The router on the other side had overlapping networks (/24 vs. /16)
3. The remote 3-rd party router had a problem building more than two SAs, when set to "manual SA creation". After correcting the subnet masks and the setting SAs creation to automatic, everythings fine.
Thank You for anticipating the problem.
best regards
Martin Haneke
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.