Hello.
I have problem with PING between IPsec in my project.
My network is built partly in GNS3 and partly physically at home .
In GNS3 i have 2 devices FortiGate with IPadr: 10.1.20.1(name BYD) and 10.3.90.1(name WAW)
Physically in home i have ForitGate with IPadr: 10.0.90.1 (name GDA)
IP Address IPsec GDA: 192.168.0.201
IP Address IPsec BYD: 192.168.0.200
IP Address IPsec WAW: 192.168.0.203
Everything looks good but i have problem with ping from GDA to BYD and WAW.
IPsec between all sites working good, and PING from BYD and WAW goes to GDA. PING between BYD and WAW also works good.
IPv4 Policy BYD:
IPv4 Policy WAW:
IPv4 Policy GDA:
In addition, I have a static route set as below
BYD:
WAW:
GDA:
Administrative distanse everywhere 1 and blackhole 254
Someone will help solve the problem??
Created on 03-09-2022 02:38 AM
Hi,
Thank you for using Community.
Are these the screen captures when you tried pinging from GDA-BYD/WAW? If it is, it seems that the interface 'LAN' configured in GDA is not up.
Ping from WAW and BYD to GDA from CLI Forti
PING from GDA to WAW nad BYD from CLI Forti
Created on 03-09-2022 02:54 AM
What I may propose is to look what is happening to the packets/traffic flow. Please try the following commands when ping:
diag debug enable
diag debug flow filter addr <ipaddr4>
diag debug flow trace start 1000
diag debug flow trace stop
Ping from GDA to WAW and BYD
BYD to GDA
Hi Sebix,
The error "no matching IPsec selector, drop" is seen in the firewall GDA-FW.
Check the traffic selectors under phase2 config (source subnet 192.168.0.x, destination subnet 10.3.90.x). Also you may share the output for diag vpn tunnel list name <VPN name> for better understanding.
Regards,
IPsec config GDA to WAW
interface wan1 - 192.168.0.201
Phase2 GDA to WAW
DIAG
@vponmuniraj
@Anonymous
Any idea?
Hi Sebix,
Looking at the flow debug and the output, it looks like the ping to 10.3.90.1 & 10.1.20.1 are sourcing from IP 192.168.0.201. (probably because tunnel interface has no IP).
Check the below from GDA:
exec ping-option source 10.0.90.1
exec ping 10.3.90.1
exec ping 10.1.20.1
Regards,
Ping from GDA to WAW with source 10.0.90.1
I tryed figure it out and
When I add Policy rulles on WAW
And BYD
Then PING from GDA works fine.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.