- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPSec VPN between LAN and DMZ zone
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec VPN between LAN and DMZ zone
Hi All,
IPSec VPN is configured this way:
HO: LAN [192.168.7.0/24] - WAN --- IPSEC VPN --- WAN --- DMZ Zone [10.10.10.0/24]: BO
On both ends FortiGate routers.
VPN tunnel is up but traffic doesn't go to\from.
Checked firewall rules - ALL allowed to\from on both ends
Checked static routes - for both 192.168.7.0/24 and 10.10.10.0/24 static routes exist with VPN interfaces as destinations.
Is there anything special about configuring VPN for DMZ Zone?
In the HO IPSec VPN tunnels to other branches works like a charm, but IPSec VPN to the BO in question with LAN in DMZ doesn't work.
I compared IPSec VPN configuration and the only difference is in other branches VPN tunnels connect LAN to LAN and in this case it is LAN to DMZ.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I recreated VPN tunnel instead of LAN interface I specified Servers Network (SERVERS) VLAN interface.
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi MadDog_2023,
Hope you are doing good.
As I understand, you are facing the issue with traffic passing through IPsec VPN tunnel. To check the issue regarding traffic, please share the below output:
diagnose debug reset
diagnose debug disable
diagnose debug flow show fun en
diagnose debug flow filter clear
diagnose debug flow filter saddr <source IP address>
diagnose debug flow filter daddr <destination IP address>
diagnose debug flow trace start 99
diagnose debug enable
NOTE: Replicate the issue, After 5-10sec, disable the logs by executing:
diagnose debug disable
diagnose debug flow trace stop
Regards,
Parteek
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi parteeksharma,
I run the commands.
Could you please advise where can I get output?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MadDog_2023
Run this command on your HO firewall :
Example : diagnose sniffer packet any "host <IP> and icmp" 4 0 l ------------replace <IP> with the IP of the end machine from where you are initiating the traffic.
If you are seeing traffic coming on your LAN interface and going out via the ipsec tunnel interface then it means policy is fine and we are sending the packet out.
If not then run the debug flow to find the reason.
Follow the commands shared by @parteeksharma and share the output.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I checked IPSec monitor.
I can incoming data from BO DMZ but can't see outgoing data from HO LAN.
Does that mean the issue is on HO FortiGate side?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MadDog_2023
As I understand, traffic from BO DMZ is received at the HO firewall, but you do not see an outgoing reply/response from HO LAN?
If so collect the debug to see if this traffic is allowed and being forwarded to the HO LAN interface.
If it allowed by right policy and forwarded to LAN interface and you do not see a reply back, validate if the reverse route for the BO subnet available at HO LAN PC/server.
Debug commands:
diagnose debug reset
diagnose debug flow filter clear
diagnose debug flow filter saddr <source IP address>
diagnose debug flow filter daddr <destination IP address>
diagnose debug flow trace start 255
diagnose debug enable
NOTE: Replicate the issue, After 5-10sec, disable the logs by executing:
diagnose debug disable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Keerthu_A,
After or while I run the suggested commands do I need to generate some traffic from HO to BO or vice versa (for example ping from HO to BO)?
Also, once I run diagnose debug disable where can I see debug output?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MadDog_2023,
Run the below debug commands on both ends.
diagnose debug reset
diagnose debug flow filter clear
diagnose debug flow filter saddr <source IP address>
diagnose debug flow filter daddr <destination IP address>
diagnose debug flow trace start 255
diagnose debug enable
once the commands are enabled, genrate the traffic from HO to BO or vice versa(as per your requirement)
once traffic is generated you should see the logs on the cli console/putty
once traffic initiated wait for few seconds and then disable the debug using below command(to stop capturing more logs)
diagnose debug disable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Keerthi_A
diagnose debug flow filter saddr <source IP address>
diagnose debug flow filter daddr <destination IP address>
For source and destination IP addresses should I put any local addresses from LAn and DMZ or it should be public addresses of both ends?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
192.168.7.x and 10.10.10.y since you said the tunnel was "UP". Then send packets like ping from .x to .y if you're going to run the flow debug on .x side.
Toshi
Related Posts
- SSL VPN 112 Views
- VXLAN, Virtual Switch and MTU 87 Views
- IPSec tunnel error : no SA... 163 Views
- SD-WAN IPSec Main Backup tunnels with... 148 Views
- IPSEC Down After Changing the IP... 81 Views
Labels
-
FortiGate
6,534 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.