Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ainul
New Contributor

IPsec VPN Site to Site, FGT and Watchguard

Dear Scao/Scapraro,

 

we configure ipsec vpn site to site between fortigate 200D and watchguard , the parameter is same phase1 and phase2 both of them , ping from fgt to ip public remote site is OK, but tunnel still not up , so we do diagnose debug enable , it get message is

"could not send IKE packet (ident_i1send):119.252.165.09 :500->117.54.227.92:500, len=284: error 101:Network is unreachable".

what mean is it ->error 101:Network is unreachable, because ping to remote site is reply

 

Rgds

 

Ainul

 

 

 

 

 

 

 

13 REPLIES 13
ainul
New Contributor

 

HI, Nils,

 

The result sniff packet as below

 

FG200D3916800121 (root) # diag sniffer packet port4 'host 117.54.227.92 and port 500'

interfaces=[port4]

filters=[host 117.54.227.92 and port 500]

3.685968 117.54.227.92.500 -> 119.252.165.90.500: udp 136

7.688875 117.54.227.92.500 -> 119.252.165.90.500: udp 136

31.775401 117.54.227.92.500 -> 119.252.165.90.500: udp 136

35.780071 117.54.227.92.500 -> 119.252.165.90.500: udp 136

39.784691 117.54.227.92.500 -> 119.252.165.90.500: udp 136

43.789032 117.54.227.92.500 -> 119.252.165.90.500: udp 136

67.873919 117.54.227.92.500 -> 119.252.165.90.500: udp 136

71.877830 117.54.227.92.500 -> 119.252.165.90.500: udp 136

75.882491 117.54.227.92.500 -> 119.252.165.90.500: udp 136

79.887330 117.54.227.92.500 -> 119.252.165.90.500: udp 136

104.224002 117.54.227.92.500 -> 119.252.165.90.500: udp 136

108.228322 117.54.227.92.500 -> 119.252.165.90.500: udp 136

112.232671 117.54.227.92.500 -> 119.252.165.90.500: udp 136

116.293527 117.54.227.92.500 -> 119.252.165.90.500: udp 136

140.320563 117.54.227.92.500 -> 119.252.165.90.500: udp 136

144.324452 117.54.227.92.500 -> 119.252.165.90.500: udp 136

148.381647 117.54.227.92.500 -> 119.252.165.90.500: udp 136

152.386663 117.54.227.92.500 -> 119.252.165.90.500: udp 136

175.467916 117.54.227.92.500 -> 119.252.165.90.500: udp 136

179.472182 117.54.227.92.500 -> 119.252.165.90.500: udp 136

183.477577 117.54.227.92.500 -> 119.252.165.90.500: udp 136

187.482207 117.54.227.92.500 -> 119.252.165.90.500: udp 136

 

ainul
New Contributor

we ready set NAT Traversal to Disable,

but condition still same, bese on event log VPN, it is never up to phase2, only success to phase1, please see attached

 

moby

Hi

Base on your sniffer trace your firewall is sending udp 500 IKE packets but you do not receive any IKE packets back from 119.252.165.90

 

187.482207 117.54.227.92.500 -> 119.252.165.90.500: udp 136

 

Therefore you should check if the peer is receiving your udp 500 packets and if the peer sends a response.

 

Either the peer is not receiving them or the peer is not responding to them, or the UDP 500 packets are being blocked somewhere between your IP and the peer IP or in the other direction.

 

Moby

 

 

mahesh_secure

Hai

 

Are you using any wan LLB????

 

 

 

Regards

Mahesh

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors