Hello,
I have a relatively simple setup with two Fortigates directly peering with IPsec over the Internet. I have two subnets on my primary site, configured as subinterfaces, and one subnet on my secondary site (also subinterface).
SUB1 --192.168.1.0/24-----\
|===VPN===|----SUB3 172.16.2.0/24
SUB2 ---172.16.1.0/24-----/
In order to configure the Phase 2, I created a group of objects containing my two subnets and used Named Addresses on both firewalls.
One subnet from the primary site (let's call it 192.168.1.0/24) can reach the remote site properly and vice-versa. However, the other subnet from my primary site (let's call it 172.16.1.0/24) cannot reach the remote site. Pings from the remote site to both main subnets are working.
From the Forward Traffic log, I can see that the subnet that is not working is not actually using the ACL towards the tunnel, rather it goes through the WAN link, as if it was not using the route I specified in the Phase 2.
I have static routes on both firewalls to allow the communication (two routes on the remote firewall pointing to the VPN's IP, and one route on the main site pointing towards the other side of the VPN.
I have 0 ACL drops on my default rule and have no other drop rules. NAT is deactivated on the rules managing the trafic between the sites. I have tried Policy Routing, creating multiple Phase 2s, removing the working subnet from the Phase 2 and leaving only the broken one, it never goes through the VPN interface.
Any help is welcome, I'll be glad to answer your questions.
Thank you in advance !
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
Check priority and admin distance of the static route. Make sure it has priority over the default gateway.
Both priorities are equal. Anyway, if both routes are in the routing table, shouldn't the packet be routed using the longest prefix rule ?
Thanks!
Hi @antmich,
Run debug flow to get an idea how the traffic is traversing via Fortigate.
If one subnet is reachable, check the firewall policy to allow traffic between SUB2 and SUB3.
Hi @alif, both subnets are allowed in the security policies. As I mentioned, the traffic is not going through the VPN as it should (matching other ACL towards WAN/default route) even though the route exists and the destination subnet is configured in the phase 2 for that source.
If the route is there in the routing table and one subnet is working as expected, it could be some policy route forcing the traffic towards wan interface.
Perhaps, you can share the debug flow/routing table to have a better idea.
can you clarify your phase 2 config? You said you created a group of objects containing two subnets on both firewalls. You have three subnets, though. It's unclear how you've defined your phase2 here. Can you show the config or explain it clearly?
Hello,
May I know your firmware version, please?
We are having serious IPSEC routing issues after a 7.0.10 upgrade.
Eveything wokred like a charm from < 7.0.9 release. After the upgrade we are having problems in phase 2 rekey (i believe)
Once in while the vpn is not working and not communicating toward the other firewall.
In The GUI, both phases are green.
The only way to make it work again is to manually "bring down" and "bring up" the phase 2 and it works.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.