- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSEC Tunnel Static Route
Hello All and thanks for the help in advance:
I have two Fortgate firewalls I have inherited and I am in need of some help. At the head-end, I have a 90D and at the remote-end, I have a 90E. The IPSEC tunnel had been created and I am trying to add in a route to a new network at the head end.
So the network looks something like this:
192.168.20.0/24
192.168.1.0/24
-------------------
90D (192.168.1.28)
-------------------
Internet
-------------------
90E (192.168.2.253)
-------------------
192.168.2.0/24
I can get from 192.168.2.0 to 192.168.1.0 with no issues. That was the IPSEC tunnel that was created before. I am trying to add 192.168.20.0
Attached to the 90D, I have a Cisco L3 switch (192.168.1.2) that acts as the router to the 20 network. The Cisco has a default route to the 90D (192.168.1.28) From the 20 network today, I can surf the web which is out of the 90D, but I cannot get to anything in the 192.168.2.0 network on the other side of the tunnel. Nor can I get from .2 to anything on the .20 network
Traceroutes from the 192.168.2.0 to the working 1 network shows (from 192.168.2.95 to 192.168.1.250):
Tracing route to 192.168.1.250 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.2.253
2 35 ms 37 ms 36 ms 192.168.1.28
3 37 ms 36 ms 37 ms 192.168.1.250
Trace complete.
Traceroutes from the 192.168.2.0 to the new 20 network show (from 192.168.2.95 to 192.168.20.53):
Tracing route to 192.168.20.53 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.2.253
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
I have added static route to the 90E, I thought that would fix the problem. However, all I can do is tell it that the endpoint is the tunnel, not the router on the other end (192.168.1.2)
Any help would be appreciated.
Thanks again
- « Previous
-
- 1
- 2
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have 4 tunnels to reach 192.168.1.0/24 configured: To_HQ, To_HQ_WAN2, To_REM2_HQ1, and To_REM2_HQ2.
You need to figure out why there are 4 tunnels and their intended purposes. But based on the routing-table, currently only To_HQ_WAN2 seems to be up.
You also need to make sure .20.0/24 is in phase1-selectors if you're not using 0/0<->0/0.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
typo: phase2-selectors.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need firewall policy, route, and phase-2 selector to be able to connect to the remote network. Please verify you have all of them in place.
-prithvi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works if you leave the pase2 selectors at 0.0.0.0/0.0.0.0 and create static routes and the required policies on both ends. Did that here for various times...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found the issue. Everyone who posted was correct about Phase 2 missing the network. The issue seemed to arise from the legacy config. I had inherited this and it looks like it was created using the Wizard. Using the Wizard you can only have one network. I changed it to custom and everything now works.
Thanks, everyone for the help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Do you create a policy for this new route ?
Regards
Too late I don' t see the last message...
- « Previous
-
- 1
- 2
- Next »