Hi All,
IPSec VPN is configured this way:
HO: LAN [192.168.7.0/24] - WAN --- IPSEC VPN --- WAN --- DMZ Zone [10.10.10.0/24]: BO
On both ends FortiGate routers.
VPN tunnel is up but traffic doesn't go to\from.
Checked firewall rules - ALL allowed to\from on both ends
Checked static routes - for both 192.168.7.0/24 and 10.10.10.0/24 static routes exist with VPN interfaces as destinations.
Is there anything special about configuring VPN for DMZ Zone?
In the HO IPSec VPN tunnels to other branches works like a charm, but IPSec VPN to the BO in question with LAN in DMZ doesn't work.
I compared IPSec VPN configuration and the only difference is in other branches VPN tunnels connect LAN to LAN and in this case it is LAN to DMZ.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
When I recreated VPN tunnel instead of LAN interface I specified Servers Network (SERVERS) VLAN interface.
The VPN Tunnel was rebuilt.
On the screenshot you can see my LAN interface.
In addition to initial 192.168.7.0/24 I decided to advertise 192.168.6.0/24 as well.
What is happening now is traffic flows perfectly from DMZ in BO to 192.168.6.0/24 subnet in HO but still doesn't work between DMZ and 192.168.7.0/24.
The same config does work with another 5 branches but not with the last one which makes little sense for me.
Could you please set up two computers on opposite sides of the tunnel?
192.168.7.x <IPSEC> 10.10.10.x
Please configure debug commands on both firewalls using the following commands:
di de reset
di de flow filter addr 10.10.10.x (where x is the host of the specific subnet)
di de flow show function en
di de flow trace start 9999
di de en
Now please initiate the ping from 192.168.7.x to 10.10.10.x
Please post the initial packets from both sides on the forum for examination. If you are uncertain, it may be necessary to open a case with the TAC, and we will assist you.
Hi all,
I'm entering the commands following your instructions but I can't see anything in the CLI and FortiGate web management panel.
Pig is running from 192.168.7.0/24 subnet to 10.10.10.11.
Where do I see the output?
Probably because it offloaded to ASIC. Stop current continuous pinging, change the flow debugging's destination IP to something else in the 10.10.10.0/24 other than .11. Then after you started flow debugging, start pinging to the new IP. Then first three packets shouldn't get offloaded and that should be enough for the flow debugging.
If still doesn't work, you might need to disable ASIC offloading on the pair of (inbound and outbound) your VPN policies with "set auto-asic-offload disable".
Toshi
Below are the screenshots of the IPSec VPN tunnel on the BO side.
IPSec Tunnel itself
Static route
Outgoing firewall rule
Incoming firewall rule
LAN interface
For green subnet traffic flows to\from over VPN.
For red subnet traffic doesn't flow to\from over VPN.
The issue seems has been resolved.
When I recreated VPN tunnel instead of LAN interface I specified Servers Network (SERVERS) VLAN interface.
FortiGates treat all VLAN interfaces as independent interfaces just like their parent interfaces like "LAN(internal)". You have to refer them independently when you set up tunnels or other objects. Policies also need to set independently unless you set zones.
Toshi
Got it. I though when building a tunnel for a VLAN interface a parent interface should be specified and then VLAN subnet should be entered explicitly for phase 1 but I was wrong.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.