Hi!
I am just trying to setup a new VPN, but cannot get it in a working condition...
Goal is: NAT all the traffic from internal to remote-net 172.16.1.0/24 to source-ip 192.168.99.1 and send it to VPN.
Tunnel is configured and up.
Phase 1 is running.
Phase 2 is configured as: 192.168.99.0/24 to 172.16.1.0/24
Firewall-Policy: Internal to VPN-Tunnel, ANY, ANY, Allow - with NAT
VPN-Tunnel comes up, but there seems to be no data sent into the tunnel.
Can you give me a hint, about what I am missing?
Thank you for your help!!
KPS
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You are masking all behind the 192.168.99.0/24? If yes ensure the src/dst-subnets allows for SRC 192.168.99.0/24 and the DST-SUBNET { at the remote site is correct }
I didn't quite understand the following
Phase 2 is configured as: 192.168.99.0/24 to 172.16.1.0/24
Can you copy out the vpn phase2 settings and post them here ?
Ken Felix
PCNSE
NSE
StrongSwan
Hi!
Thank you for your answer!
<code>
config vpn ipsec phase2-interface
(phase2-interface) # show config vpn ipsec phase2-interface edit "XXX-VPN" set phase1name "XXX-VPN" set proposal aes256-sha256 set dhgrp 14 set keepalive enable set keylifeseconds 3600 set src-subnet 192.168.99.0 255.255.255.255 set dst-subnet 172.16.1.0 255.255.255.0 next end
</code>
Interface-IP on XXX-VPN is: 192.168.99.1
Firewall-Policy is: Allow everything to XXX-VPN WITH NAT.
Thank you for your help!
is "set dst-subnet 172.16.1.0 255.255.255.0" at the destination ? And are sure the internal lans are being SNAT behind 192.168.99.1 ?
So you should have interface XXX-VPN, run a diag sniffer packet XXX-VPN "dst net 172.16.1" and do you see traffic? Also have you validate the routing for the destination network ?
get router info routing all | grep 172.16.1
ken Felix
PCNSE
NSE
StrongSwan
emnoc wrote:is "set dst-subnet 172.16.1.0 255.255.255.0" at the destination ? And are sure the internal lans are being SNAT behind 192.168.99.1 ?
I do not control the destination, but I think so. SNAT ist set in the firewall-policies.
emnoc wrote:Routing seems to be o.k. get router info shows the route to XXX-VPNSo you should have interface XXX-VPN, run a diag sniffer packet XXX-VPN "dst net 172.16.1" and do you see traffic? Also have you validate the routing for the destination network ?
get router info routing all | grep 172.16.1
diad sniffer shows:
diag sniffer packet XXX-VPN
interfaces=[XXX-VPN]
filters=[none]
9.402354 192.268.99.1 -> 172.16.1.10: icmp: echo request
Do you have any idea, what the problem could be?
The diag vpn tunnel list and review the IPSEC-SAs and counters would be a start . You probably have one-way IPSEC-SAs and encrypt only and no decrypt on traffic sent to 192.168.99.1 ( You had 192.268.99.1 in your typed screen btw )
I would double the IPSEC-SA and ensure match SPI and correct proxy-ids
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.