Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HS08
New Contributor II

Remote Subnet VPN Site to Site

Hello,

I have VPN site to site to connecting on-prem to the azure. The connection was working properly, local subnet in the on-prem can communicate to the remote subnet on azure.

But if i execute ping from FortiGate management ip why is not reachable? So if i change my LDAP connection from Server located in the on-prem to Azure VM, the connection is not success.

 

7 REPLIES 7
pdelapena
Staff
Staff

Hi @HS08 ,

You can try to configure an IP address in tunnel interface then specify a source-ip. Check the KB below.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Source-IP-for-self-originating-IPsec-tunne...

Regards,

Paulo Dela Pena
HS08
New Contributor II

HI I'm not found where i should specify source-ip on my VPN site to site tunnel. Are you know where?

pdelapena

Hi @HS08 ,

You need to configure tunnel IP address under Network > Interface > then locate the IPsec tunnel interface. After that, follow the guide given previously and see if it will work.

Paulo Dela Pena
HS08
New Contributor II

HI..

 

I'm not talking about SSL VPN but Site to Site VPN. What we see in interface is interface for SSL VPN.

pdelapena

Hi @HS08 ,

You should be able to see the IPsec tunnel interface once you dig deeper under the WAN interface or whatever interface you have configured for IPsec VPN. This is different to the 'ssl.root' interface which is used for SSL-VPN.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IP-address-on-an-IPSec-tunnel-in...

Regards,

Paulo Dela Pena
srajeswaran
Staff
Staff

Under LDAP can you specify the source IP as your on-prem interface IP and check?

# config user ldap
    edit <LDAP object name>
        set source-ip <IP address associated an interface>
    end

make sure you are able to ping LDAP server on Azure is pingable using the source Ip (on-prem interface IP )
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
hbac
Staff
Staff

Hi @HS08,

 

It depends whether your management IP is included in the phase2 selectors or not and whether it is allowed in the firewall policy or not. For LDAP over IPsec tunnel, please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Authentication-with-remote-LDAP-via-site-t...

 

Regards, 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors