Dear Scao/Scapraro,
we configure ipsec vpn site to site between fortigate 200D and watchguard , the parameter is same phase1 and phase2 both of them , ping from fgt to ip public remote site is OK, but tunnel still not up , so we do diagnose debug enable , it get message is
"could not send IKE packet (ident_i1send):119.252.165.09 :500->117.54.227.92:500, len=284: error 101:Network is unreachable".
what mean is it ->error 101:Network is unreachable, because ping to remote site is reply
Rgds
Ainul
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Did you choose the correct interface in the "local interface" section?
I guess it's WAN1 or someting similar.
Hi Nils,
what is it local interface ? on fgt or watchguard
In your VPN phase 1 settings on your fortigate.
You must specify the interface that is facing internet.
my interface
based on this debug log :
the ip fortigate is 119.252.165.09, and iP watchguard 117.54.227.92,
i think the fgt can't reach ip address watchguard, but it can ping remote ip (117.54.227.92)
could not send IKE packet (ident_i1send):119.252.165.09 :500->117.54.227.92:500, len=284: error 101:Network is unreachable".
Can you paste you IPSEC configuration here?
it's my config on FGT, just for info we already also setting up another tunnel site to site with cisco ASA on this fortigate it use same interface on port 4 (vietnam). it's connection is OK
edit "vpn_icc" set vdom "root" set type tunnel set snmp-index 24 set interface "port4" next edit "vpn_icc_local_subnet_1" set uuid ea9b90c0-9b59-51e6-74a3-7fee54be819e set subnet 172.17.134.0 255.255.255.0 edit "vpn_icc_remote_subnet_1" set uuid eaa347e8-9b59-51e6-28fe-95ca2ed91c23 set subnet 172.17.190.0 255.255.255.0 next edit "vpn_icc_local" set uuid ea9fea9e-9b59-51e6-9d6c-e4b394fc8a55 set member "vpn_icc_local_subnet_1" set comment "VPN: vpn_icc (Created by VPN wizard)" next edit "vpn_icc_remote" set uuid eaa78056-9b59-51e6-2f1c-b50243c4e877 set member "vpn_icc_remote_subnet_1" set comment "VPN: vpn_icc (Created by VPN wizard)" next edit "vpn_icc" set interface "port4" set keylife 28800 set proposal 3des-sha1 set comments "VPN: vpn_icc (Created by VPN wizard)" set dhgrp 2 set remote-gw 117.54.227.92 set psksecret ENC dmFyL1qRvDzrVtvNfXTHUh76D8+iujeEtwMnkyF+xAIErGqfQvARmPN9jjfMLfsbg0efDFEply/Vikyfu6A5l2Rj3IvGAeibC9XG8YTZFXCd6XyP5yVXDM5PWgCgD/GQxFoFbxsi2UvP+ieF52V6Kv+XA3cncnwjIsEmbB5uknpWOizg+J2AD05ys/101ocPVIYd/w== set keepalive 300 next config vpn ipsec phase2-interface edit "vpn_icc" set phase1name "vpn_icc" set proposal 3des-sha1 set dhgrp 2 set keylife-type both set comments "VPN: vpn_icc (Created by VPN wizard)" set keylifeseconds 28800 set keylifekbs 43200 set src-subnet 172.17.134.0 255.255.255.0 set dst-subnet 172.17.190.0 255.255.255.0 edit "segment128" set phase1name "vpn_icc" set proposal 3des-sha1 set dhgrp 2 set keepalive enable set auto-negotiate enable set keylife-type both set keylifeseconds 28800 set src-subnet 172.17.128.0 255.255.255.0 set dst-subnet 172.17.190.0 255.255.255.0 next end
config firewall policy edit 71 set uuid cdc5be4c-9b5b-51e6-c453-7a7851f046fa set srcintf "port3" "port2" set dstintf "vpn_icc" set srcaddr "vpn_icc_local" "172.17.128.0" set dstaddr "vpn_icc_remote" set action accept set schedule "always" set service "ALL" set logtraffic all set comments "VPN: vpn_icc (Created by VPN wizard)" next edit 70 set uuid eaace6ae-9b59-51e6-b483-b5175b71bf9d set srcintf "vpn_icc" set dstintf "port3" "port2" set srcaddr "vpn_icc_remote" set dstaddr "vpn_icc_local" "172.17.128.0" set action accept set schedule "always" set service "ALL" set logtraffic all set comments "VPN: vpn_icc (Created by VPN wizard)" next edit 39 set dst 172.17.190.0 255.255.255.0 set device "vpn_icc" set comment "VPN: vpn_icc (Created by VPN wizard)" next
Hi
Try sniffing port 4 to see if the Fortigate is sending UDP 500 packets to 117.54.227.92 and if you are receiving any responses to these.
diag sniffer packet port4 'host 117.54.227.92 and port 500'
Moby.
Thanks, the configuration is looking good..
Do you have any NAT devices in between?
Otherwise try to uncheck "NAT Traversal"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.