Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
robertwb2
New Contributor

One way Ping

Hey everyone, hope I can get some help with something. Very new to Fortinet and have two locations that I need to setup a VPN for. I have watched the online video cookbook and followed those steps for my two boxes and setup the IPSec VPN. Location 1 - 10.8.138.0/23 network Location 2 - 10.8.22.0/24 network I created both of my Phases, putting in the right IP addresses for each...I' ve triple checked everything, Have my Firewall objects created correctly for both, making sure the Interfaces are set correctly at each location, made my policies and moved them to the top of the list, however........ What is happening is that from Location 1 to Location 2 I am NOT able to ping. However from Location 2 to Location 1, and I can ping and access everything as needed. I' m almost feeling its something simple, I have properly working internet in both locations but I just cannot figure out this ping and what I might be missing. Thanks so much
13 REPLIES 13
robertwb2
New Contributor

When I do a debug of the flow, this is a sample of what I get over and over again when trying to ping from Location 1 to Location 2. And both locations have the exact same policies in place. Thanks so much id=13 trace_id=101 msg=" vd-root received a packet(proto=1, 10.8.138.180:1->10.8.22.254:8) from Internal." id=13 trace_id=101 msg=" allocate a new session-00001066" id=13 trace_id=101 msg=" find a route: gw-10.8.22.254 via Internal" id=13 trace_id=101 msg=" Denied by forward policy check" id=13 trace_id=102 msg=" vd-root received a packet(proto=1, 10.8.138.180:1->10.8.22.254:8) from Internal." id=13 trace_id=102 msg=" allocate a new session-0000106e" id=13 trace_id=102 msg=" find a route: gw-10.8.22.254 via Internal" id=13 trace_id=102 msg=" Denied by forward policy check" id=13 trace_id=103 msg=" vd-root received a packet(proto=1, 10.8.138.180:1->10.8.22.254:8) from Internal."
Hansyin
New Contributor

it says policy does not allow. Can you show your policy? show firewall policy
ede_pfau
SuperUser
SuperUser

hi, and welcome to the forums. Are you pinging the remote FGT? If so, check the ' Restricted Hosts' setting in System>Admin. Set them all to ' 0.0.0.0/0' to see if ping is administratively prohibited. Next, is ping allowed on the interface (System>Network>Interface)? Next, did you try to reach a host on the remote network, like a printer? Printers don' t have personal firewalls...yet
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
robertwb2
New Contributor

Thank you so much for all the help, but I think I finally stumbled upon the problem. When I was looking in the Network -> interface area, I seen that my Internal interface wasn' t configured quite right. Once I fixed that, ping in both directions started working! Thanks again for all the help!
ede_pfau
SuperUser
SuperUser

One more well meant hint: re-create your VPNs in ' Interface Mode' . You spare yourself a LOT of headaches over time. If you do, the tunnel end becomes a virtual network port, just like the physical ones. You use it in a regular (ACCEPT) policy, and in a static route, for NAT and all that. No more wondering what FortiOS does ' behind the scenes' as you do when using Policy Mode VPN.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
robertwb2
New Contributor

Where do I do that? Create the VPNs in Interface mode?? Can I change the current setup to do that, or do I need to delete them and recreate them? Thanks Robert
ede_pfau
SuperUser
SuperUser

When you create a Phase1, usually (from FortiOS 4.3 on) the ' Interface Mode' is checked by default. Alas, there is no (easy) way to change the mode. Just recreate Phase1 and Phase2.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
robertwb2
New Contributor

So once I create those in interface mode, what do I need to create in static routes or any policies??? Thanks for taking this step by step for me, this is a whole new world for me! Thanks
ede_pfau
SuperUser
SuperUser

Once you create an IPsec VPN in Interface Mode, there will be a new virtual interface under System>Network>Interfaces>the_wan_port_specified. What do you do to have traffic flow out on a port? let' s assume your tunnel is called ' Miami' and the remote network is 10.8.22.0/24: - create a static route to the remote subnet, using the tunnel interface e.g. 10.8.22.0/24 via ' Miami' (do not specify a gateway address!) - then allow traffic to pass from ' internal' to ' Miami' : create a firewall policy, source port ' internal' , src addr ' my_LAN' , dest port ' Miami' , dest addr 10.8.22.0/24, action ACCEPT (!), no NAT This will allow traffic initiated from your LAN to the ' Miami' network, including reply traffic. If you want to allow traffic initiated from Miami into your LAN, you need an additional policy with reversed source/destination. Assuming you have a mail server in Miami, and you query it for new messages. This will flow across just one policy. If you want the Miami people to get files from your LAN, you need a second policy. So, ' Interface Mode' VPN behave just like any other (physical or VLAN) port, in respect to routing and policies. This includes NAT, traffic shaping, UTM etc.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors