IPsec tunnel (LAN to LAN) between FG and Draytek

turbose · ‎10-17-2018

Hi, I have a problem with the connection of these two devices (Fortigate 100D and Draytek 2920). I present screenshots from the configuration below. FG:

Draytek:

I have access from the drytek site to FG, but not from FG to drytek.

I have two polices:

I have no idea why this is happening. Thank you in advance for your help.

itsupport11 · ‎01-24-2024

did you find a solution to this???

hbac · ‎01-24-2024

Hi @turbose,

If the tunnel is not coming up, you can run the following debugs to see what is wrong.

di deb res
diagnose vpn ike log-filter dst-addr4 95.51.57.194
di deb app ike -1
di deb en

Regards,

Sokratis · ‎01-24-2024

thanks, the tunnel is up, we can ping from remote site to FG but we cannot ping Draytek from FG site.. strange, Policies are ok, traffic goes through the tunnel (checked packet capture on tunnel)

hbac · ‎01-24-2024

@Sokratis,

In that case, you can run the following debug flow to see if it is being dropped. Assuming you are trying to ping 192.168.100.1.

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter proto 1
di deb flow filter addr 192.168.100.1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

Regards,

IPsec tunnel (LAN to LAN) between FG and Draytek

Nominate a Forum Post for Knowledge Article Creation