Hi All,
IPSec VPN is configured this way:
HO: LAN [192.168.7.0/24] - WAN --- IPSEC VPN --- WAN --- DMZ Zone [10.10.10.0/24]: BO
On both ends FortiGate routers.
VPN tunnel is up but traffic doesn't go to\from.
Checked firewall rules - ALL allowed to\from on both ends
Checked static routes - for both 192.168.7.0/24 and 10.10.10.0/24 static routes exist with VPN interfaces as destinations.
Is there anything special about configuring VPN for DMZ Zone?
In the HO IPSec VPN tunnels to other branches works like a charm, but IPSec VPN to the BO in question with LAN in DMZ doesn't work.
I compared IPSec VPN configuration and the only difference is in other branches VPN tunnels connect LAN to LAN and in this case it is LAN to DMZ.
Solved! Go to Solution.
When I recreated VPN tunnel instead of LAN interface I specified Servers Network (SERVERS) VLAN interface.
Hi MadDog_2023,
Hope you are doing good.
As I understand, you are facing the issue with traffic passing through IPsec VPN tunnel. To check the issue regarding traffic, please share the below output:
diagnose debug reset
diagnose debug disable
diagnose debug flow show fun en
diagnose debug flow filter clear
diagnose debug flow filter saddr <source IP address>
diagnose debug flow filter daddr <destination IP address>
diagnose debug flow trace start 99
diagnose debug enable
NOTE: Replicate the issue, After 5-10sec, disable the logs by executing:
diagnose debug disable
diagnose debug flow trace stop
Regards,
Parteek
Hi parteeksharma,
I run the commands.
Could you please advise where can I get output?
Hi @MadDog_2023
Run this command on your HO firewall :
Example : diagnose sniffer packet any "host <IP> and icmp" 4 0 l ------------replace <IP> with the IP of the end machine from where you are initiating the traffic.
If you are seeing traffic coming on your LAN interface and going out via the ipsec tunnel interface then it means policy is fine and we are sending the packet out.
If not then run the debug flow to find the reason.
Follow the commands shared by @parteeksharma and share the output.
I checked IPSec monitor.
I can incoming data from BO DMZ but can't see outgoing data from HO LAN.
Does that mean the issue is on HO FortiGate side?
Hi @MadDog_2023
As I understand, traffic from BO DMZ is received at the HO firewall, but you do not see an outgoing reply/response from HO LAN?
If so collect the debug to see if this traffic is allowed and being forwarded to the HO LAN interface.
If it allowed by right policy and forwarded to LAN interface and you do not see a reply back, validate if the reverse route for the BO subnet available at HO LAN PC/server.
Debug commands:
diagnose debug reset
diagnose debug flow filter clear
diagnose debug flow filter saddr <source IP address>
diagnose debug flow filter daddr <destination IP address>
diagnose debug flow trace start 255
diagnose debug enable
NOTE: Replicate the issue, After 5-10sec, disable the logs by executing:
diagnose debug disable
Hi Keerthu_A,
After or while I run the suggested commands do I need to generate some traffic from HO to BO or vice versa (for example ping from HO to BO)?
Also, once I run diagnose debug disable where can I see debug output?
Hi @MadDog_2023,
Run the below debug commands on both ends.
diagnose debug reset
diagnose debug flow filter clear
diagnose debug flow filter saddr <source IP address>
diagnose debug flow filter daddr <destination IP address>
diagnose debug flow trace start 255
diagnose debug enable
once the commands are enabled, genrate the traffic from HO to BO or vice versa(as per your requirement)
once traffic is generated you should see the logs on the cli console/putty
once traffic initiated wait for few seconds and then disable the debug using below command(to stop capturing more logs)
diagnose debug disable
Hi Keerthi_A
diagnose debug flow filter saddr <source IP address>
diagnose debug flow filter daddr <destination IP address>
For source and destination IP addresses should I put any local addresses from LAn and DMZ or it should be public addresses of both ends?
192.168.7.x and 10.10.10.y since you said the tunnel was "UP". Then send packets like ping from .x to .y if you're going to run the flow debug on .x side.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.