IP Sec Tunnel Interface is UP, but i can't do a ping to remote pc
Hi, I have 2 fortigates a 60E and a 20C I have established the IPSec tunnels for site-to-site vpn. The tunnel in both fortigates appears to me to be up, but I cannot ping between the lan networks. I have set the static route and added the access policies. I don't know what else to do. And if I check the IPSec monitor, I see that there is incoming and outgoing traffic.
The only option I can suggest now is to disable the tunnel to bring down the connection and initiate traffic from the 60E end so the tunnel comes up using NAT-T, I can see from the sniffer it's still using port 500.
Did you try to flow trace the traffic to see if it matched policies and routing is correct?
diag debug enable
diag debug flow filter daddr=<destinationip>
diag debug flow filter saddr=<sourceip>
diag debug flow trace start <numberofpackets>
that will show you what the FGT does with the traffic.
FGT uses the routing table to determine the path to the destination in Step #1
In Step #2 it looks for a matching policy. It does top down and the first match will win the packet.
If there is no policy that matches it would hit policy #0 (which is the deny everything from/to everywhere one).
However the fact that the tunnel is up tells me that there has to be at least one policy that references it (because otherwise it would not come up). However that does not neccessarily mean that it matches your traffic...
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Could you please check if you are filtering the traffic that is traversing the VPN on your phase 2? If the static route is correct, if the security policies are correct, then the only thing I can think of is the phase 2 configuration.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.