Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mateusz28
New Contributor

IP sec connection between Teltonika RUT 955 and Fortigate 40F

Hi,

I have problem with connection two routers with using Ipsec Tunel. 

 

In one side  (behind Teltonika router) I have Local Area Network with IP 10.1.0.0/24. (Network A)

Behind Fortigate i Have LAN with IP 10.1.1.0/24. (Network B). (Fortigate LAN IPv4 adress 10.1.1.1

 

My tunel is rising up, but i don't have access from Network A to Network B and other way

 

Configuration IPSec tunel in Teltonika:

telto.png

 Configuration IPSec tunel in Fortigate:

for1.pngforti2.png

 

Both routers have a fixed IPv4 address  (WAN address). My purpose is have full access  from one computer in network B to all network A and vice versa.

 

4 REPLIES 4
hbac
Staff
Staff

Hi @Mateusz28,

 

Do you have firewall policies to allow the traffic? You can run debug flow to see if the traffic is being dropped by following this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Regards, 

Mateusz28
New Contributor

 yes, I've allowed every traffic with every protocol between devices

mle2802
Staff
Staff

Can you run the following command when reach network B from A with ping protocol to see if traffic is allowed and route correctly on FortiGate:

diag debug reset
diag debug flow filter addr X.X.X.X (computer IP where you ping from)
diag debug flow filter proto 1
diag debug flow show ip en
diag debug flow show func en
diag debug console time ena
diag debug ena
diag debug flow trace start 999

Regards,
Minh

ezhupa
Staff
Staff

Hello Mateusz28, 

 

Make sure the Local-GW IP you have configured on the IPSEC configuration is also present in the WAN1 either as a primary IP or secondary IP

If the tunnel is already up , both phase1 and phase2 traffic should be flowing. 
Are you generating traffic from a host in network 10.1.1.X/24 towards 10.1.0.X/24? 
In that case what you would need to check is: 
1) Routing - is there any static route configured? 
get router info routing-table details x.x.x.x   <-- x.x.x.x is the destination you are trying to ping. 
2) Firewall Policy - are there FW policies configured to allow this traffic? 
You would need 2 policies, one LAN -> IPSEC, the other IPSEC -> LAN for the return traffic.
Double-check the configuration just in case, sometimes there is a small thing that has caused the issue. 
If all of the above is checked and configured correctly try setting NAT-T to forced on the FGT side just in case maybe some traffic is being dropped by ISP. 
Hope this helps.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors