Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

IPSec VPN not able to connect to one side of site to site VPN tunnel

Client is using 2 Fortigate 80E firewalls configured for site to site IPSec VPN, tunnel is up, and users at both locations can access and ping across to the other site. When any user connects remotely via FortiClient program, they can only access the location the VPN is on. Cannot ping across or resolve servername. Something changed a couple of months ago as they were able to connect. We have checked settings on both ends, but do not see what would prevent. We recently onboarded this client, and do not have older backup configs to compare.


So this means:


Dial UP IPsec Forticlient => FGT works and one can reach the subnets on the FGT as one should.

But one cannot reach the subnet(s) behind the other end of S2S IPSec between the two FGT correct?


I would recommend:


connect Forticlient.

check routing table on client

check routing table on both FGT

check policies on both FGT


Probably start a flow debug in cli on each FGT to see what happens to your traffic...


  diag debug ena

  diag debug flow filter clear

  diag debug flow filter <saddr/daddr = ip>

  diag debug flow trace start <numberofpackets>


this will show you if the traffic reaches the FGT and if it does which policy it hits and where it is going then.



"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors