Hi,
I've to configure an IPSec tunnel between a fortigate VM (local) and a FortiWiFi 40F (remote).
Remote site have a network configuration alreday used by another IPSec tunnel so i've to add NAT on this tunnel.
Tunnel is UP and configurations seems to be OK, but no packet are received on remote site.
Some informations :
<Local Networks> : 10.9.0.0/16 ; 10.20.0.0/16
<Remote Network> : 192.168.1.0/24
<Remote Network with NAT> : 192.168.10.0/24
My configuration :
- IPSEC Tunnel :
local address : <Local Networks>
Remote Address : <Remote Network with NAT>
- Static route :
set dst 192.168.10.0 255.255.255.0
set device "vpn"
- Firewall policy :
Accept ALL from <Local Networks> to <Remote Network with NAT>
- IPSEC Tunnel :
local address : <Remote Network with NAT>
Remote Address : <Local Networks>
- Static route :
set dst 10.0.0.0 255.0.0.0
set device "vpn"
- Firewall policy :
config firewall policy
edit 1
set srcintf "internal"
set dstintf "vpn"
set srcaddr "<Remote Network>"
set dstaddr "<Local Networks>"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set ippool enable
set poolname "ip-pool"
set nat enable
config firewall ippool
edit "ip-pool"
set startip 192.168.10.1
set endip 192.168.10.254
set source-startip 192.168.1.1
set source-endip 192.168.1.254
config firewall policy
edit 2
set srcintf "vpn"
set dstintf "internal"
set srcaddr "<Local Networks>"
set dstaddr "vip"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
config firewall vip
edit "vip"
set extip 192.168.10.1-192.168.10.254
set mappedip "192.168.1.1-192.168.1.254"
Problem :
On local :
diagnose sniffer packet vpn
4.101766 10.20.x.x -> 192.168.10.x: icmp: echo request
8.716446 10.20.x.x -> 192.168.10.x: icmp: echo request
13.714733 10.20.x.x -> 192.168.10.x: icmp: echo request
18.715851 10.20.x.x -> 192.168.10.x: icmp: echo request
On remote :
diagnose sniffer packet vpn
<<nothing>>
Packets are sent from local but not received by remote.
Have you some ideas ?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi ntaneja,
Thanks to the debug i found the mistake.
My ping tests was done from a VM with multiple NIC. Ping was received from the wrong interface (so wrong IP), and this subnet was not set in the IPSec tunnel.
I've tested from another VM with one NIC in the good vlan and it works fine
Thanks for your help !
Hi bob654,
As per the sniffer info you shared from local FGT, packet seems to leave interface vpn but the actual packet process is seen in debuging traffic flow.
Setup below putty sessions on both FGT 1st and then initiate the traffic from local to remote
ON LOCAL:
Putty 1:
diag debug reset
diag debug en
diag debug console timestamp enable
diag debug flow filter clear
diag debug flow filter addr 192.168.10.X
diag debug flow filter proto 1
diag debug flow trace start 999
Before executing above commands, ensure that there is no existing sessions from the IP . After executing above commands, ping to destination IP behind remote side. Once you see the output generated, enter following commands to turn off debugging-
diag debug disable
diag debug reset
Putty 2:
get router info routing-table details 192.168.10.X
get router info routing-table details <src ip>
ON REMOTE
Putty 1:
diag debug reset
diag debug en
diag debug console timestamp enable
diag debug flow filter clear
diag debug flow filter addr 10.20.X.X
diag debug flow filter proto 1
diag debug flow trace start 999
Before executing above commands, ensure that there is no existing sessions from the IP . After executing above commands, ping to destination IP behind remote side. Once you see the output generated, enter following commands to turn off debugging-
diag debug disable
diag debug reset
Putty 2:
get router info routing-table details 192.168.1.X
get router info routing-table details <10.20.x.x>
Thanks
Hi ntaneja,
Thanks to the debug i found the mistake.
My ping tests was done from a VM with multiple NIC. Ping was received from the wrong interface (so wrong IP), and this subnet was not set in the IPSec tunnel.
I've tested from another VM with one NIC in the good vlan and it works fine
Thanks for your help !
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1697 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.