Hey guys,
I have an up and running site-to-site vpn between two fortigates.
This is the ip config:
Location 1: 10.1.20.0/24 -> 10.2.20.0/24
Location 2: 10.2.10.0/24 -> 10.1.20.0/24
This seems to be working well we can ping clients on both locations.
Now we want to add our server networks, i added a phase 2 selector like this:
Location 1: 10.1.10.0/24 -> 10.2.10.0/24
Location 2: 10.2.10.0/24 -> 10.1.10.0/24
I have added the static routes and firewall policies on both FG's, but we cannot ping any server on both locations.
Are we forgetting something? I checked the manual about vpn but i cannot for the life of me find what could be wrong.
Any vpn guru that can point me in the direction that i have to look in to?
Thx in advance!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Geoffrey,
Maybe there is something wrong with the selectors - -why don't you try and just configure 0.0.0.0/0.0.0.0 as the phase 2 selectors on both fortigates.
Moby
Are the SAs related to the second phase2 up?
Hi all,
Thanks for the answers :)
I tried putting in 0.0.0.0/0.0.0.0 on both FG's and then everything works, but is this the good way to go?
@Alby23: How can i check if the SAs on the second phase are up? Is this in here Monitor -> IPsec Monitor?
Thanks!
Geoffrey,
It works but is considered a lazy and insecure way of doing things. Reason being, now any traffic can flow over that tunnel whereas with specific Phase2's it limits it to the interesting traffic mentioned there.
Mike Pruett
I managed to make it somewhat work :p
Now i can ping from the HQ clients to the Branch Clients (10.1.20.0 -> 10.2.20.0)
I also can ping from HQ Servers to the Branch servers (10.1.10.0 -> 10.2.10.0)
But i can't seem to access the Branch clients with HQ servers and the HQ Servers with the branch clients. I suspect this has something to do with routing?
It sounds more like a policy issue. If you are able to PING then the devices involved know how to reach the remote subnet.
Mike Pruett
Check routing table on both sides if they have routes toward the tunnel for the subnets on the opposite side. We use 0/0<->0/0 for phase2 as long as it's main mode and restrict subnets by policies. If routes are there the policies must be restricting.
If he can ping the traffic knows where to go. Validation that proper policy is in place (with UTM that isn't killing the traffic you want) needs to be the next step IMO
Mike Pruett
I just wanted to make sure it's 100% not routing issue, which isn't so difficult to confirm. "get router info routing-t all" in cli. You're most likely correct about the cause.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.