Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raffaeledp
Contributor

Created on ‎05-02-2025 01:32 AM Edited on ‎05-02-2025 01:33 AM

It is no longer possible to access a specific Virtual Machine through an IPSec Tunnel

Hello everybody,

I'm working on a Fortigate 70G with a 7.2.11 firmware.

I've an IPSec tunnel:

 

Screenshot 2025-05-02 alle 10.14.25.png

 

Regarding this tunnel, I have two firewall rules: 

 

Screenshot 2025-05-02 alle 10.15.23.png

 

 The first policy regards the IPSEC_FULL_ACCESS user group and it allows connections to the 10.1.0.0/24 network, including a specific machine, wich address is 10.1.0.207/24. It works fine.

The second policy regards the XYZ_VM_IPSEC user group and it allows connections only to the specific 10.1.0.207/24 machine. It's been working for a while. The XYZ_VM_IPSEC users could in fact access only the 10.1.0.207/24 machine.

Since two days, this is not possible anymore. The XYZ_VM_IPSEC users can lo longer access that machine. 

The log settings are set to "all sessions" (not in the screenshot, but the screenshot is not updated) but logs are empty. Fortigate detects nothing.

But...and this is what I am not able to comprehend...if I edit that specific firewall policy, shifting the destination address from 10.1.0.207/24 to another machine of the same internal network (for example 10.1.0.214/24), it works again. In this case, the XYZ_VM_IPSEC users will access only the single 10.1.0.214/24 machine.

I don't think that the problem is the 10.1.0.207/24 machine, because if that were the case, the machine would not be accessible even in the first firewall policy.

What do you think? Do you have a clue?

 

 

RDP
RDP
Labels:
314
0 Kudos
2 REPLIES 2
funkylicious
SuperUser
SuperUser

Created on ‎05-02-2025 04:01 AM

hi,

that's quite strange that using another destination works just using a particular one doesnt.

have you run a debug/sniffer and see how the traffic is being handled ?

"jack of all trades, master of none"
"jack of all trades, master of none"
295
Demir25
New Contributor III

Created on ‎05-02-2025 02:33 PM Edited on ‎05-02-2025 02:34 PM

Try and put more specific policies above the general ones. 10.1.0.207/32 is more specific then 10.1.0.0/24 so it should be set above the IPSec full access policy. 

273
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.