Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IrbkOrrum
Contributor

Created on ‎12-11-2024 05:51 AM Edited on ‎12-11-2024 08:04 AM

Remote Access IPSec VPN to sub-VDOM

I'm playing with another VDOM setup.  This time the Root vdom will hold the primary traffic while a sub vdom will only have an inbound IPSec VPN connection for remote clients to connect too via forticlient.  I've got the root vdom setup and it's passing traffic correctly. The VPN terminates at VDOM-A.

Here is a network map

Screenshot_1.jpg

I've got a VIP at the root vdom that's passing traffic through to the 10.2.2.2 IP.  I've got the firewall rule at root that's allowing traffic inbound to the VIP.  In VDOM-A, I've got VPN configured with the 10.2.2.2 interface (the intervdom link) so it should be all setup correctly.  The "external" (this is all in a lab, no actual real IPs involved) IP for the IPSec VPN is 40.40.40.35.  When I try to connect from a VPN client, the connection just times out and won't connect.

If I run a "diagnose sniffer packet any 'host 40.40.40.35'" and run a ping 40.40.40.35 from the VPN client, I see traffic.  However, when I actually try to connect with FortiClient I don't see ANY traffic.  On the client side I can see the traffic going out, but on the Root or VDOM-A side, I see no traffic at all and I'm lost as to what I've got wrong.

So this is a fortinet on the client side
Screenshot_2.jpg

You can see the ping go out.  Then you can see the IPSec connection attempt.
However, on the vdom a side
Screenshot_3.jpg

You can see the ping traffic, but then nothing at all.  It makes no difference if I run the diag at the root or VDOM-A context.  I can see the ICMP traffic sent by the client to 40.40.40.35.  I can even see port 80 traffic if the client tries to browse to 40.40.40.35.  When the client tries the VPN connection though, I don't see any traffic.

Labels:
796
0 Kudos
1 Solution
IrbkOrrum
Contributor

Created on ‎12-11-2024 08:59 AM

OMG guys, I'm an idiot.  I'm thinking that the problem is with the VDOM because I'm learning that and don't fully understand it.  So that's where the problem has to be, right?
Well Mr idiot here, for WHATEVER reason, on the client side didn't have an "any" rule set up.  I was only allowing ICMP and HTTP outbound.  OMG.  I've spent SO much time troubleshooting the wrong side. *facepalm*

View solution in original post

680
0 Kudos
20 REPLIES 20
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-11-2024 06:47 AM

Which VDOM terminate the IPSec VPNs; root or VDOM-A? If VDOM-A, you should see "icmp" packets at the root vdom in sniffing. It should be encapsulated in either UDP 500 (like in the first screen shot) or 4500 if pinged toward 10.10.0.0/16.

Toshi

358
IrbkOrrum
Contributor
In response to Toshi_Esumi

Created on ‎12-11-2024 06:49 AM Edited on ‎12-11-2024 06:57 AM

It's VDOM-A.  I don't see any packets for the VPN connection with a "diag sniffer packet any 'host 40.40.40.35'" regardles of if I'm running it in Root or VDOM-A context.
If I try to browse 40.40.40.35, I can see the traffic (there isn't anything there to 'browse' but I see the traffic so I know the VIP/firewall rules are passing the traffic through).  If I do a ping I can see the traffic.  When I try to do the VPN connection, I see no traffic.  Just to be perfectly clear, it's during the attempt at making the VPN connection that I'm not seeing any traffic.  The client side times out and I do not see any inbound traffic to the IP.  So the VPN isn't even connecting.

354
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to IrbkOrrum

Created on ‎12-11-2024 08:19 AM

The 40.40.40.35 is on the port1 IP and you forwarded UDP 500/4500 to 10.2.2.2, right? I'm assuming you didn't forward ICMP to 10.2.2.2. What exactly did you ping from the client machine? Through the tunnel and 10.10.x.x/16? Is the tunnel up? or that's what you're troubleshooting?

Toshi

325
0 Kudos
IrbkOrrum
Contributor
In response to Toshi_Esumi

Created on ‎12-11-2024 08:23 AM

40.40.40.35 is on port 1.  I'm forwarding ALL traffic on the VIP to 10.2.2.2 and I'm allowing all traffic on the firewall rule.
The VPN client will not connect. 

From the VPN client machine if I ping 40.40.40.35 I can see the ICMP traffic in the firewall. 

From the VPN client machine if I browse http://40.40.40.35 I can see the http traffic in the firewall (there is nothing to 'browse' too but I see the traffic).
From the VPN client machine if I try to connect the VPN it times out.  I see the traffic leaving the client side, I never see any traffic on the VDOM-A side.

321
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to IrbkOrrum

Created on ‎12-11-2024 08:29 AM

I would assume you should be able to see it and if it doesn't show up, something before the FGT is causing the ping packets not to arrive.
The HTTP access should hit the 10.2.2.2 IP if you forwarded everything. So if you allow HTTP on the VDOM-A vdomlink interface, you should get admin GUI login page.

Toshi

319
0 Kudos
IrbkOrrum
Contributor
In response to Toshi_Esumi

Created on ‎12-11-2024 08:33 AM

That's the problem, it never shows up.  Other traffic shows up.  I can see the vpn traffic leaving the client site so the client is sending the request out.  If I send ICMP or http traffic it shows up.  VPN traffic though, nothing.  There is 1 router inbetween the client and the site with no filtering happening there. 

315
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to IrbkOrrum

Created on ‎12-11-2024 08:38 AM

I would suspect the client machine itself. I would run Wireshark on the machine to make sure the icmp packets are leaving toward the IP on the proper ethernet interface without encapsulation.

Toshi

311
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎12-11-2024 08:39 AM

Also I would sniff all packets at port1 without filtering by the host IP. Then ping it.

306
0 Kudos
IrbkOrrum
Contributor
In response to Toshi_Esumi

Created on ‎12-11-2024 08:39 AM

ICMP is not the issue.  The issue is the VPN does not connect.  I can see the VPN packets leaving the client.

306
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.