Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
secret104278
New Contributor

Gateway cannot ping each other when Site-to-Site vpn

I have two fortigates, and i set up the vpn tunnel following this guide https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/281288/site-to-site-ipsec-vpn-with-two-f...

 

The clients behind the gateway can ping each other through this tunnel. However, the gateway can't ping each other.

I have found that when one fortigate ping the other, by default, it will use it's WAN IP (because the vpn tunnel is under internet). Then i try to configure that virtual tunnel interface the be the same ip as the LAN gateway IP, but the fortigate doesnt allow us to do that. The official documents doesn't mention this point, so how everyone accomplish that.

3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

First, to test/troubleshoot VPNs or other feature of a FW, you need to get yourself familiarized with CLI.

To ping from the GW (192.168.37.1 in the cookbook on HQ side), you need to specify the ping-source IP.

"exe ping-options source 192.168.37.1"

Then "exe ping 192.168.13.1" would use 37.1 as its source. That should let you ping the other end.

 

If you further configured the tunnel IP under the interface, which has the same name with the tunnel you created (in the cookbook example "HQ-to-Branch") and set the remote-ip on the other end of the tunnel, pinging from the FGT uses the tunnel IP as its source automatically. But this part is not in the cookbook, I guess, because it works for user-to-user traffic without it for any firewall appliances, but for routers. Below is an example for the example in the cookbook.

 

config system interface     edit "HQ-to-Branch"         set vdom "root"         set ip 10.10.10.1 255.255.255.255         set allowaccess ping https ssh snmp         set type tunnel         set remote-ip 10.10.10.2 255.255.255.255         set interface "wan1"     next end

secret104278

So how did you chose 10.10.10.1 and 10.10.10.2, just randomly pick two addresses not in the LAN subnet?

 

My real use case is I have a RADIUS server in HQ subnet, and I want the Branch-FGT to be able to use that RADIUS.

 

My HQ subnet is 10.5.0.1/16, Branch subnet is 10.6.0.1/16. How should I chose ip/remote-ip for the tunnel interface?

According to your reply, it seems like i should have the third subnet for the tunnel interface.

 

Toshi_Esumi

As long as it doesn't exist in your network, you can randomly choose it. With FGT both sides of the tunnel IP don't have to be in /30 subnet. But it's good to keep it that way just in case you might need to migrate the tunnel to another router gears.

And I believe the remote RADIUS access uses the outgoing interface IP by default. But I recommend you configure "set source-ip x.x.x.x" in RADIUS config.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors