IPSec VPN between LAN and DMZ zone

MadDog_2023 · ‎09-13-2023

Hi All,

IPSec VPN is configured this way:

HO: LAN [192.168.7.0/24] - WAN --- IPSEC VPN --- WAN --- DMZ Zone [10.10.10.0/24]: BO

On both ends FortiGate routers.

VPN tunnel is up but traffic doesn't go to\from.

Checked firewall rules - ALL allowed to\from on both ends

Checked static routes - for both 192.168.7.0/24 and 10.10.10.0/24 static routes exist with VPN interfaces as destinations.

Is there anything special about configuring VPN for DMZ Zone?

In the HO IPSec VPN tunnels to other branches works like a charm, but IPSec VPN to the BO in question with LAN in DMZ doesn't work.

I compared IPSec VPN configuration and the only difference is in other branches VPN tunnels connect LAN to LAN and in this case it is LAN to DMZ.

MadDog_2023 · ‎09-18-2023

When I recreated VPN tunnel instead of LAN interface I specified Servers Network (SERVERS) VLAN interface.

View solution in original post

MadDog_2023 · ‎09-15-2023

The VPN Tunnel was rebuilt.

On the screenshot you can see my LAN interface.

In addition to initial 192.168.7.0/24 I decided to advertise 192.168.6.0/24 as well.

What is happening now is traffic flows perfectly from DMZ in BO to 192.168.6.0/24 subnet in HO but still doesn't work between DMZ and 192.168.7.0/24.

MadDog_2023 · ‎09-15-2023

The same config does work with another 5 branches but not with the last one which makes little sense for me.

maulishshah · ‎09-15-2023

@MadDog_2023,

Could you please set up two computers on opposite sides of the tunnel?

192.168.7.x <IPSEC> 10.10.10.x

Please configure debug commands on both firewalls using the following commands:

di de reset

di de flow filter addr 10.10.10.x (where x is the host of the specific subnet)

di de flow show function en

di de flow trace start 9999

di de en

Now please initiate the ping from 192.168.7.x to 10.10.10.x

Please post the initial packets from both sides on the forum for examination. If you are uncertain, it may be necessary to open a case with the TAC, and we will assist you.

Maulish Shah

MadDog_2023 · ‎09-17-2023

Hi all,

I'm entering the commands following your instructions but I can't see anything in the CLI and FortiGate web management panel.

Pig is running from 192.168.7.0/24 subnet to 10.10.10.11.

Where do I see the output?

Toshi_Esumi · ‎09-17-2023

Probably because it offloaded to ASIC. Stop current continuous pinging, change the flow debugging's destination IP to something else in the 10.10.10.0/24 other than .11. Then after you started flow debugging, start pinging to the new IP. Then first three packets shouldn't get offloaded and that should be enough for the flow debugging.

If still doesn't work, you might need to disable ASIC offloading on the pair of (inbound and outbound) your VPN policies with "set auto-asic-offload disable".

Toshi

MadDog_2023 · ‎09-17-2023

Below are the screenshots of the IPSec VPN tunnel on the BO side.

IPSec Tunnel itself

Static route

Outgoing firewall rule

Incoming firewall rule

LAN interface

For green subnet traffic flows to\from over VPN.

For red subnet traffic doesn't flow to\from over VPN.

MadDog_2023 · ‎09-17-2023

The issue seems has been resolved.

MadDog_2023 · ‎09-18-2023

When I recreated VPN tunnel instead of LAN interface I specified Servers Network (SERVERS) VLAN interface.

Toshi_Esumi · ‎09-18-2023

FortiGates treat all VLAN interfaces as independent interfaces just like their parent interfaces like "LAN(internal)". You have to refer them independently when you set up tunnels or other objects. Policies also need to set independently unless you set zones.

Toshi

MadDog_2023 · ‎09-18-2023

Got it. I though when building a tunnel for a VLAN interface a parent interface should be specified and then VLAN subnet should be entered explicitly for phase 1 but I was wrong.