Hi, I have 2 fortigates a 60E and a 20C I have established the IPSec tunnels for site-to-site vpn. The tunnel in both fortigates appears to me to be up, but I cannot ping between the lan networks. I have set the static route and added the access policies. I don't know what else to do. And if I check the IPSec monitor, I see that there is incoming and outgoing traffic.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
In the firewall policy, are you logging all allowed traffic? Do you see any Rx for a particular log entry or only Tx?
You can get more information about the traffic using below debug flow with appropriate filters.
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow
This would show you where the packet is going.
Hi ShivSagar, thank you. Yeah, in the firewall policy i logging all allowed traffic. With the packet debug flow i see the packet that i send in both fortigates coming in the VPN interface. But still it doesn't ping, what I notice in both fortigates on the IPSec monitor is that there is only Outgoing Data and no Incoming Data.
I don't know what else to do, and I eliminated the VPNs and recreated them, I did a flush and reset the tunnel and it remains the same :(
Make sure that the distance for the static routes for the tunnels has a smaller number for the distance than the default.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Hi Bob, thanks for your time, I have configured the static route with the distance in 1 in both fortigates. But I still don't ping. If you have time and even if there is a cost involved, could you help me to solve this problem please
From the CLI, can you check the output of "get router info routing-table details <remote IP>" to view the route which is taking and check if it's the correct one?
Created on 11-30-2021 06:38 AM Edited on 11-30-2021 06:52 AM
Hi, thank you.
I put the command get router info routing table details 192.168.1.80 in my Fortigate 60E in mi Site A.
And this is the output.
And in my fortigate 20C in my site B, i can't run the command so i make a packet flow and the packets entry in the VPN interface. I put the image. I ping to the remote lan in site A (192.168.15.254)
Thank you for your time
Can you try forcing both sides to use NAT-T.
Thank you Shivasagar for your time.
I tried to put NAT-T in forced in the fortigate 20c (SiteB) but doesnt allow this option :(
In mi Fortigate 60E (Site A) already put the NAT-T in forced.
But i still without do a ping.
Please collect the below sniffer output at both 20C and 60E.
"diag sniffer packet any 'host <peer public IP>' 6 0 a"
With which you can confirm if ESP packets are arriving.
On 20C and 60E, are other IPSec tunnels working fine? If you have a 3rd device, is it possible to configure a tunnel for testing on that and see if it works?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.