Hi.
We have two sites using the same subnets (192.168.0.0/24 -> restriction due to systems having built-in mechanism and are not freely configurable) and I followed the cookbook to configure the Site-to-Site VPN on Fortigate Firewall. The VPN Phase1 and Phase2 both are UP but I am unable to ping the devices from one site to other site, also unable to ping Local WAN interface IP on same device.
The rough network sketch:
Kindly advise.
Additional info: Fortigate FGR60F Firewalls (FortiOS V6.2.9)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Just to confirm, did you use the following KB? https://docs.fortinet.com/document/fortigate/6.4.5/administration-guide/426761/site-to-site-vpn-with...
What does the sniffer show, is the traffic received on both ends of the fortigates?
Regards,
Hi Aleksandar,
Yes. I followed the above mentioned KB. I have done only ping test. The VPN is UP on both Phases but my local device LAN connection is unreachable to firewall WAN port by "ping" also. Can it be because of restriction from IPV4 rules (I created the same rules as in KB)? Can the sniffer be used to troubleshoot the communication between "local interface" and "WAN interface" on same firewall?
I am new to VPN configuration so please ignore any wrong semantics (if used).
Please also note that I used the same subnet (192.168.110.XX) for Tunnel.
Is it mandatory to use the different subnet or same subnet can be used?
No worries, we will ask you to explain in depth if we don't understand something, you are doing great :)
In your case from the fortigate itself you cannot do the test and it will not show anyway in the interesting traffic because we can ping only from a local interface, not local NAT address. To test the traffic please do the following sniffer:
diagnose sniffer packet any "host <NATed IP on the remote site>" 4
and initiate ping from local host. Do this on both sides and copy paste the output. Also, copy paste the related configuration for: policies, static route and phase2 on both sites. Thanks in advance.
Noted :)
I am currently far away from network and firewalls. Will share the diagnostics once I get access.
Please find below the configuration.
Branch Firewall:
edit "PLC_Connect address"
set uuid 4d67ca4a-4a2a-51ed-1427-03d7d6cb4e94
set type interface-subnet
set subnet 192.168.0.1 255.255.255.0
set interface "PLC_Connect"
next
edit "SE_Interface address"
set uuid c6348242-4a2a-51ed-63fb-13ee83cb0741
set type interface-subnet
set subnet 192.168.110.55 255.255.255.0
set interface "SE_Interface"
next
edit "Branch-original"
set uuid 41827e0c-4bf4-51ed-6423-b56ccbb7de20
set associated-interface "PLC_Connect"
set subnet 192.168.0.0 255.255.255.0
next
edit "HQ-new"
set uuid 6b0db6d8-4bf4-51ed-9268-45a06552d534
set associated-interface "Branch_To_HQ"
set subnet 10.4.4.0 255.255.255.0
next
config firewall policy
edit 1
set uuid 044a0998-4a27-51ed-622a-da4d6233a658
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set name "From_Branch_To_HQ"
set uuid 9ce0d0e4-4bf6-51ed-7387-b74a6df7e19c
set srcintf "PLC_Connect"
set dstintf "Branch_To_HQ"
set srcaddr "Branch-original"
set dstaddr "HQ-new"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set ippool enable
set poolname "Branch-new"
set nat enable
next
edit 3
set name "From_HQ_To_Branch"
set uuid f877e94c-4bf6-51ed-589c-d1aea7954a60
set srcintf "Branch_To_HQ"
set dstintf "PLC_Connect"
set srcaddr "HQ-new"
set dstaddr "Branch-new-to-original"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
next
end
config router static
edit 1
set dst 10.4.4.0 255.255.255.0
set device "Branch_To_HQ"
next
edit 2
set dst 10.4.4.0 255.255.255.0
set distance 200
set blackhole enable
next
end
config vpn ipsec phase2-interface
edit "Branch_To_HQ"
set phase1name "Branch_To_HQ"
set proposal aes256-sha256
set auto-negotiate enable
set src-subnet 10.3.3.0 255.255.255.0
set dst-subnet 10.4.4.0 255.255.255.0
next
end
config firewall ippool
edit "Branch-new"
set type fixed-port-range
set startip 10.3.3.1
set endip 10.3.3.254
set source-startip 192.168.0.1
set source-endip 192.168.0.254
next
end
config firewall vip
edit "Branch-new-to-original"
set uuid 585a1468-4bf5-51ed-98b5-b1fd6588fffe
set extip 10.3.3.1-10.3.3.254
set extintf "Branch_To_HQ"
set mappedip "192.168.0.1-192.168.0.254"
next
end
HQ Firewall:
edit "PLC_Connection address"
set uuid 5f760b2a-4a2f-51ed-30c1-17075918a656
set type interface-subnet
set subnet 192.168.0.1 255.255.255.0
set interface "PLC_Connection"
next
edit "SE_Interface address"
set uuid b9bc9180-4a2f-51ed-6d95-351d53eb9c3a
set type interface-subnet
set subnet 192.168.110.67 255.255.255.0
set interface "SE_Interface"
next
edit "HQ-original"
set uuid 7a754a3a-4c5f-51ed-6fd7-d76f84ca1243
set associated-interface "PLC_Connection"
set subnet 192.168.0.0 255.255.255.0
next
edit "Branch-new"
set uuid 9b1ba2d4-4c5f-51ed-79a4-dde0821989dd
set associated-interface "HQ_to_Branch"
set subnet 10.3.3.0 255.255.255.0
next
end
config firewall policy
edit 1
set uuid 83a9e742-4a2e-51ed-656e-dc3d57841611
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set name "From_HQ_to_Branch"
set uuid e78c572a-4c60-51ed-c037-3db086ad44b5
set srcintf "PLC_Connection"
set dstintf "HQ_to_Branch"
set srcaddr "HQ-original"
set dstaddr "Branch-new"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set ippool enable
set poolname "HQ-new"
set nat enable
next
edit 3
set name "From_Branch_To_HQ"
set uuid 3f100d48-4c61-51ed-4db8-d1a8168714a8
set srcintf "HQ_to_Branch"
set dstintf "PLC_Connection"
set srcaddr "Branch-new"
set dstaddr "HQ_new_to_original"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
next
end
config router static
edit 1
set dst 10.3.3.0 255.255.255.0
set device "HQ_to_Branch"
next
edit 2
set dst 10.3.3.0 255.255.255.0
set distance 200
set blackhole enable
next
end
config vpn ipsec phase2-interface
edit "HQ_to_Branch"
set phase1name "HQ_to_Branch"
set proposal aes256-sha256
set auto-negotiate enable
set src-subnet 10.4.4.0 255.255.255.0
set dst-subnet 10.3.3.0 255.255.255.0
next
end
config firewall ippool
edit "HQ-new"
set type fixed-port-range
set startip 10.4.4.1
set endip 10.4.4.254
set source-startip 192.168.0.1
set source-endip 192.168.0.254
next
end
config firewall vip
edit "HQ_new_to_original"
set uuid 3c48972a-4c60-51ed-2a77-477f8cf24431
set extip 10.4.4.1-10.4.4.254
set extintf "HQ_to_Branch"
set mappedip "192.168.0.1-192.168.0.254"
next
end
I got a chance to access the firewalls. On Branch site, I could connect PC and sent the ping command, on HQ site, there was a device which could only reply but could not initiate ping.
I was able to also capture packets on source port of Branch site but could not get any traffic on HQ site. I am attaching the CLI diagnostics and PCAP for Branch firewall local port.
Kindly advise if you are able to find root-cause.
PCAP file can be found on https://tempcloud.cf/ Filename: PLC_Connect.root.2.pcap Passcode: 1314
CLI Console for Branch-FW
Connected
SE-FW-A # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S 10.4.4.0/24 [10/0] is directly connected, U08C_To_PS1K
C 192.168.0.0/24 is directly connected, PLC_Connect
C 192.168.1.0/24 is directly connected, internal
C 192.168.110.0/24 is directly connected, SE_Interface
SE-FW-A # diag debug reset
SE-FW-A # diag debug flow filter clear
SE-FW-A # diag debug flow filter addr 192.168.0.21
SE-FW-A # diag debug console timestamp enable
SE-FW-A # diag debug flow
SE-FW-A # diag debug flow trace start 200
SE-FW-A # execute time
current time is: 17:47:30
SE-FW-A # diag debug enable
SE-FW-A # 2022-10-18 17:48:19 id=20085 trace_id=35 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=17, 192.168.0.21:56006->192.168.0.255:1947) from PLC_Connect. "
2022-10-18 17:48:19 id=20085 trace_id=35 func=init_ip_session_common line=5814 msg="allocate a new session-000026a4"
2022-10-18 17:48:19 id=20085 trace_id=35 func=vf_ip_route_input_common line=2581 msg="find a route: flag=94000000 gw-192.168.0.255 via root"
2022-10-18 17:48:19 id=20085 trace_id=35 func=fw_local_in_handler line=421 msg="iprope_in_check() check failed on policy 0, drop"
2022-10-18 17:48:19 id=20085 trace_id=36 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=17, 192.168.0.21:56007->255.255.255.255:1947) from PLC_Connect. "
2022-10-18 17:48:19 id=20085 trace_id=36 func=init_ip_session_common line=5814 msg="allocate a new session-000026a5"
2022-10-18 17:48:19 id=20085 trace_id=36 func=vf_ip_route_input_common line=2581 msg="find a route: flag=90000000 gw-255.255.255.255 via root"
2022-10-18 17:48:19 id=20085 trace_id=36 func=fw_local_in_handler line=421 msg="iprope_in_check() check failed on policy 0, drop"
2022-10-18 17:48:54 id=20085 trace_id=37 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=17, 192.168.0.21:56008->192.168.0.255:1947) from PLC_Connect. "
2022-10-18 17:48:54 id=20085 trace_id=37 func=init_ip_session_common line=5814 msg="allocate a new session-000026fe"
2022-10-18 17:48:54 id=20085 trace_id=37 func=vf_ip_route_input_common line=2581 msg="find a route: flag=94000000 gw-192.168.0.255 via root"
2022-10-18 17:48:54 id=20085 trace_id=37 func=fw_local_in_handler line=421 msg="iprope_in_check() check failed on policy 0, drop"
2022-10-18 17:48:54 id=20085 trace_id=38 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=17, 192.168.0.21:56009->255.255.255.255:1947) from PLC_Connect. "
2022-10-18 17:48:54 id=20085 trace_id=38 func=init_ip_session_common line=5814 msg="allocate a new session-000026ff"
2022-10-18 17:48:54 id=20085 trace_id=38 func=vf_ip_route_input_common line=2581 msg="find a route: flag=90000000 gw-255.255.255.255 via root"
2022-10-18 17:48:54 id=20085 trace_id=38 func=fw_local_in_handler line=421 msg="iprope_in_check() check failed on policy 0, drop"
2022-10-18 17:49:28 id=20085 trace_id=39 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=17, 192.168.0.21:56010->192.168.0.255:1947) from PLC_Connect. "
2022-10-18 17:49:28 id=20085 trace_id=39 func=init_ip_session_common line=5814 msg="allocate a new session-00002720"
2022-10-18 17:49:28 id=20085 trace_id=39 func=vf_ip_route_input_common line=2581 msg="find a route: flag=94000000 gw-192.168.0.255 via root"
2022-10-18 17:49:28 id=20085 trace_id=39 func=fw_local_in_handler line=421 msg="iprope_in_check() check failed on policy 0, drop"
2022-10-18 17:49:28 id=20085 trace_id=40 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=17, 192.168.0.21:56011->255.255.255.255:1947) from PLC_Connect. "
2022-10-18 17:49:28 id=20085 trace_id=40 func=init_ip_session_common line=5814 msg="allocate a new session-00002721"
2022-10-18 17:49:28 id=20085 trace_id=40 func=vf_ip_route_input_common line=2581 msg="find a route: flag=90000000 gw-255.255.255.255 via root"
2022-10-18 17:49:28 id=20085 trace_id=40 func=fw_local_in_handler line=421 msg="iprope_in_check() check failed on policy 0, drop"
2022-10-18 17:50:02 id=20085 trace_id=41 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=17, 192.168.0.21:56012->192.168.0.255:1947) from PLC_Connect. "
2022-10-18 17:50:02 id=20085 trace_id=41 func=init_ip_session_common line=5814 msg="allocate a new session-0000275b"
2022-10-18 17:50:02 id=20085 trace_id=41 func=vf_ip_route_input_common line=2581 msg="find a route: flag=94000000 gw-192.168.0.255 via root"
2022-10-18 17:50:02 id=20085 trace_id=41 func=fw_local_in_handler line=421 msg="iprope_in_check() check failed on policy 0, drop"
2022-10-18 17:50:02 id=20085 trace_id=42 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=17, 192.168.0.21:56013->255.255.255.255:1947) from PLC_Connect. "
2022-10-18 17:50:02 id=20085 trace_id=42 func=init_ip_session_common line=5814 msg="allocate a new session-0000275c"
2022-10-18 17:50:02 id=20085 trace_id=42 func=vf_ip_route_input_common line=2581 msg="find a route: flag=90000000 gw-255.255.255.255 via root"
2022-10-18 17:50:02 id=20085 trace_id=42 func=fw_local_in_handler line=421 msg="iprope_in_check() check failed on policy 0, drop"
2022-10-18 17:50:37 id=20085 trace_id=43 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=17, 192.168.0.21:56014->192.168.0.255:1947) from PLC_Connect. "
2022-10-18 17:50:37 id=20085 trace_id=43 func=init_ip_session_common line=5814 msg="allocate a new session-00002786"
2022-10-18 17:50:37 id=20085 trace_id=43 func=vf_ip_route_input_common line=2581 msg="find a route: flag=94000000 gw-192.168.0.255 via root"
2022-10-18 17:50:37 id=20085 trace_id=43 func=fw_local_in_handler line=421 msg="iprope_in_check() check failed on policy 0, drop"
2022-10-18 17:50:37 id=20085 trace_id=44 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=17, 192.168.0.21:56015->255.255.255.255:1947) from PLC_Connect. "
2022-10-18 17:50:37 id=20085 trace_id=44 func=init_ip_session_common line=5814 msg="allocate a new session-00002787"
2022-10-18 17:50:37 id=20085 trace_id=44 func=vf_ip_route_input_common line=2581 msg="find a route: flag=90000000 gw-255.255.255.255 via root"
2022-10-18 17:50:37 id=20085 trace_id=44 func=fw_local_in_handler line=421 msg="iprope_in_check() check failed on policy 0, drop"
Timeout
Connection lost.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.