Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ainul
New Contributor

IPsec VPN Site to Site, FGT and Watchguard

Dear Scao/Scapraro,

 

we configure ipsec vpn site to site between fortigate 200D and watchguard , the parameter is same phase1 and phase2 both of them , ping from fgt to ip public remote site is OK, but tunnel still not up , so we do diagnose debug enable , it get message is

"could not send IKE packet (ident_i1send):119.252.165.09 :500->117.54.227.92:500, len=284: error 101:Network is unreachable".

what mean is it ->error 101:Network is unreachable, because ping to remote site is reply

 

Rgds

 

Ainul

 

 

 

 

 

 

 

13 REPLIES 13
Nils
Contributor II

Did you choose the correct interface in the "local interface" section?

I guess it's WAN1 or someting similar.

 

ainul
New Contributor

Hi Nils,

 

what is it local interface ? on fgt or watchguard

Nils
Contributor II

In your VPN phase 1 settings on your fortigate.

You must specify the interface that is facing internet.

 

ainul
New Contributor

my interface 

ainul
New Contributor

 

based on this debug log :

the ip fortigate is  119.252.165.09, and iP watchguard 117.54.227.92,

i think the fgt can't reach ip address watchguard, but it can ping remote ip (117.54.227.92)

could not send IKE packet (ident_i1send):119.252.165.09 :500->117.54.227.92:500, len=284: error 101:Network is unreachable".

Nils
Contributor II

Can you paste you IPSEC configuration here?

ainul
New Contributor

it's my config on FGT, just for info we already also setting up another tunnel site to site with cisco ASA on this fortigate it use same interface on port 4 (vietnam). it's connection is OK 

 

edit "vpn_icc" set vdom "root" set type tunnel set snmp-index 24 set interface "port4" next edit "vpn_icc_local_subnet_1" set uuid ea9b90c0-9b59-51e6-74a3-7fee54be819e set subnet 172.17.134.0 255.255.255.0 edit "vpn_icc_remote_subnet_1" set uuid eaa347e8-9b59-51e6-28fe-95ca2ed91c23 set subnet 172.17.190.0 255.255.255.0 next edit "vpn_icc_local" set uuid ea9fea9e-9b59-51e6-9d6c-e4b394fc8a55 set member "vpn_icc_local_subnet_1" set comment "VPN: vpn_icc (Created by VPN wizard)" next edit "vpn_icc_remote" set uuid eaa78056-9b59-51e6-2f1c-b50243c4e877 set member "vpn_icc_remote_subnet_1" set comment "VPN: vpn_icc (Created by VPN wizard)" next edit "vpn_icc" set interface "port4" set keylife 28800 set proposal 3des-sha1 set comments "VPN: vpn_icc (Created by VPN wizard)" set dhgrp 2 set remote-gw 117.54.227.92 set psksecret ENC dmFyL1qRvDzrVtvNfXTHUh76D8+iujeEtwMnkyF+xAIErGqfQvARmPN9jjfMLfsbg0efDFEply/Vikyfu6A5l2Rj3IvGAeibC9XG8YTZFXCd6XyP5yVXDM5PWgCgD/GQxFoFbxsi2UvP+ieF52V6Kv+XA3cncnwjIsEmbB5uknpWOizg+J2AD05ys/101ocPVIYd/w== set keepalive 300 next config vpn ipsec phase2-interface edit "vpn_icc" set phase1name "vpn_icc" set proposal 3des-sha1 set dhgrp 2 set keylife-type both set comments "VPN: vpn_icc (Created by VPN wizard)" set keylifeseconds 28800 set keylifekbs 43200 set src-subnet 172.17.134.0 255.255.255.0 set dst-subnet 172.17.190.0 255.255.255.0 edit "segment128" set phase1name "vpn_icc" set proposal 3des-sha1 set dhgrp 2 set keepalive enable set auto-negotiate enable set keylife-type both set keylifeseconds 28800 set src-subnet 172.17.128.0 255.255.255.0 set dst-subnet 172.17.190.0 255.255.255.0 next end

config firewall policy edit 71 set uuid cdc5be4c-9b5b-51e6-c453-7a7851f046fa set srcintf "port3" "port2" set dstintf "vpn_icc" set srcaddr "vpn_icc_local" "172.17.128.0" set dstaddr "vpn_icc_remote" set action accept set schedule "always" set service "ALL" set logtraffic all set comments "VPN: vpn_icc (Created by VPN wizard)" next edit 70 set uuid eaace6ae-9b59-51e6-b483-b5175b71bf9d set srcintf "vpn_icc" set dstintf "port3" "port2" set srcaddr "vpn_icc_remote" set dstaddr "vpn_icc_local" "172.17.128.0" set action accept set schedule "always" set service "ALL" set logtraffic all set comments "VPN: vpn_icc (Created by VPN wizard)" next edit 39 set dst 172.17.190.0 255.255.255.0 set device "vpn_icc" set comment "VPN: vpn_icc (Created by VPN wizard)" next

 

 

moby

Hi

Try sniffing port 4 to see if the Fortigate is sending UDP 500 packets to 117.54.227.92 and if you are receiving any responses to these.

 

diag sniffer packet port4 'host 117.54.227.92 and port 500'

 

Moby.

Nils
Contributor II

Thanks, the configuration is looking good..

Do you have any NAT devices in between?

Otherwise try to uncheck "NAT Traversal"

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors