Hi, I have 2 fortigates a 60E and a 20C I have established the IPSec tunnels for site-to-site vpn. The tunnel in both fortigates appears to me to be up, but I cannot ping between the lan networks. I have set the static route and added the access policies. I don't know what else to do. And if I check the IPSec monitor, I see that there is incoming and outgoing traffic.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Thank so much for your support.
Here is the output of the sniffer in 60E:
And here is the output in 20C.
I think the ESP packets are arriving.
And yes in 20C are 2 more IPSec tunnels and it's working fine.
And in the 60E are 1 more tunnel and work's fine.
It seems that everything is fine, but I don't know what more tests I can do. I'm afraid I have no other device to test :(
The only option I can suggest now is to disable the tunnel to bring down the connection and initiate traffic from the 60E end so the tunnel comes up using NAT-T[4500], I can see from the sniffer it's still using port 500.
Thank you!
So what I have to do is go to:
1. IPSec monitor and bring down the tunnel or Go to Network-> Interfaces-> WAN-> Tunnel interface-> Disable
And once the tunnel is disabled, I ping from my lan network behind the fortigate 60E, right? And alone he has to get up
You can use "diagnose vpn tunnel flush <name>" to clear the SA's from both ends. After which just initiating a ping from a machine behind 60E should bring up the tunnel.
Thank you, i did the flush command in both Fortigates, but the tunnel is going up after that without i do a ping.
And then i ran the sniffer command in both fortigates, but the packets still use the 500 port and not the 4500.
diag sniffer packet any 'host <peer public ip' 6 0 a
may i need to reset the tunnel o do it again?
Created on 11-30-2021 10:23 PM Edited on 11-30-2021 10:54 PM
.
Are you sure the tunnel is up competely? In Firmware prior to 6.4 the IPSec Monitor (and also the ike debug log) do not show Phase2. Since 6.4 it does show phase2 at least in IPSec Monitor.
So maybe your Phase1 came up and the tunnel is marked as up in monitor but phase2 is not up. Unfortunately that is rather hard to debug as there is no logs for Phase2 :(
The result would be that no traffic can yet pass your tunnel...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi sw2090 thank your for your time.
I follow this link to troubleshooting the IPSec phases.
And if run this command in my Fortigate 60E, the status of Phase1 is established.
And if i check the Phase 2, the SA =1 that i think the indicates IPsec SA is matching and there is traffic between the selectors
I honestly don't know what else to do, I've thought about restarting the Fortigates but I'm afraid that the other VPNs that I have configured will stop working as well.
yes it does. So Tunnel is up completely.
Did you try to flow trace the traffic to see if it matched policies and routing is correct?
diag debug enable
diag debug flow filter daddr=<destinationip>
diag debug flow filter saddr=<sourceip>
diag debug flow trace start <numberofpackets>
that will show you what the FGT does with the traffic.
FGT uses the routing table to determine the path to the destination in Step #1
In Step #2 it looks for a matching policy. It does top down and the first match will win the packet.
If there is no policy that matches it would hit policy #0 (which is the deny everything from/to everywhere one).
However the fact that the tunnel is up tells me that there has to be at least one policy that references it (because otherwise it would not come up). However that does not neccessarily mean that it matches your traffic...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Could you please check if you are filtering the traffic that is traversing the VPN on your phase 2? If the static route is correct, if the security policies are correct, then the only thing I can think of is the phase 2 configuration.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.