I've got a scenario where I can't seem to get traffic between two sites, to route to a third site over an IPSEC VPN.
Here's the Setup
Site A Fortigate (remote site) --private WAN connection--Site B Fortigate (Primary Site)--IPSEC VPN--Site C (subsidiary site) Palo Alto
I have an IPSEC tunnel setup between Site B and Site C with 2 Phase 2 selectors one for a subnet at Site B, which is working, and one for a subnet at site A which is not working.
Testing has produced the following results:
Tracert from Site A to Site C, stops at the Private WAN interface on the Fortigate at site B
Starting a ping from Site A to Site C:
Packet capture on the Site A Fortigate looking for traffic to Site C shows packets sent but not received
Packet capture on the Site B Fortigate looking for traffic to Site C shows packets sent but not received
Policies on both Site A and B Fortigates show traffic.
I'm at a loss as to where to go with troubleshooting. Policy lookups at Site A show the traffic is allowed, the same for Site B. I don't have access to the Palo Alto at Site C, as it's a subsidiary.
Was going crazy. Turns out the admin had forgotten to put in a static route to the subnet at Site A.
Great that you found and fix the issue.
Below is the link you can keep handy for IPSEC troubleshooting in case you need anytime in future
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.