- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiAP
- FortiClient
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiExtender
- FortiEDR
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Remote subnet not reachable over Dial Up VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remote subnet not reachable over Dial Up VPN
Hello,
a remote site dials into my Fortigate via Custom VPN. The connection is also established.
Unfortunately, the remote addresses are not reachable.
What could be the reason for this?
The static routes are set and the policies are also set up.
Another site-to-site VPN works.
192.168.101.0/24 = Remote Dial Up Network
192.168.25.0/24 = Remote Site to Site VPN Network
Configuration:edit "Remote_location"
set type dynamic
set interface "wan_fiber"
set keylife 28800
set mode aggressive
set peertype one
set net-device disable
set proposal aes256-sha256
set localid "DialInLocation"
set dhgrp 5
set peerid "RemoteLocation"
set psksecret ENC PSK
set dpd-retryinterval 60
next
edit "Remote_location"
set phase1name "Remote_location"
set proposal aes256-sha256
set pfs disable
set src-addr-type name
set dst-addr-type name
set keylifeseconds 28800
set src-name "HomeLocation_subnets"
set dst-name "Remote_subnets"
next
Routing table for VRF=0
S *> 0.0.0.0/0 [10/0] via own_public_wan_gateway, wan_glasfaser, [100/0]
C *> own_public_wan_network/29 is directly connected, wan_fiber
C *> 192.168.1.0/24 is directly connected, lan
S 192.168.25.0/24 [254/0] is a summary, Null, [1/0]
S *> 192.168.25.0/24 [10/0] via Site-To-Site_VPN tunnel PUBLICIP_REMOTE_S2S, [1/0]
S 192.168.101.0/24 [15/0] via Remote_location tunnel PUBLICIP_REMOTE, [1/0]
S 192.168.101.0/24 [254/0] is a summary, Null, [1/0]
S *> 192.168.101.0/24 [10/0] is directly connected, Remote_location, [1/0]
Routing table for VRF=0
Routing entry for 192.168.101.0/24
Known via "static", distance 15, metric 0
via Remote_location tunnel PUBLICIP_REMOTE vrf 0, tun_id
Routing entry for 192.168.101.0/24
Known via "static", distance 254, metric 0
directly connected, Null
Routing entry for 192.168.101.0/24
Known via "static", distance 10, metric 0, best
* directly connected, Remote_location
Routing table for VRF=0
Routing entry for 192.168.25.0/24
Known via "static", distance 254, metric 0
directly connected, Null
Routing entry for 192.168.25.0/24
Known via "static", distance 10, metric 0, best
* via S2S_VPN tunnel PUBLICIP_REMOTE_S2S vrf 0, tun_id
Labels:
- Labels:
-
FortiGate
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you confirm that on the DialUP site that connects to your FGT, the route towards 192.168.25.0/24 is being installed in the routing table ?
Also, on your FGT to the remote S2S VPN, in phase-2 params do you have the network for 192.168.101.0/24 marked for the encrypt/interesting traffic or if it's all 0.0.0.0/0 for src/dst does the S2S remote device have a route back to the DialUP network back to your FGT ?
As for the rules, you should have something like src intf DialUP , dst intf S2S , src addr <> , dst addr <> , something similar on the remote site from src intf S2S, etc.
---------------------------
geek
---------------------------
geek
---------------------------
---------------------------geek---------------------------
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The route between 192.168.25.0/24 and my lan is working. This is the S2S VPN.
the problem is at 192.168.101.0/24
The Fortigate is a new arrival. The VPN previously worked with a different router. Nothing has been changed on the remote side since then.
Only with the Fortigate does the Dial Up VPN no longer work correctly.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @HKMB,
So you want your LAN 192.168.1.0/24 to be able to reach dialup users 192.168.101.0/24? You don't need a static route for that, once dialup users connect to the VPN, the route to 192.168.101.0/24 will be activated. Do you have a firewall policy to allow traffic from LAN to the dialup tunnel? You can run debug flows to see if the traffic is being dropped. Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Regards,
Created on 12-11-2023 08:35 AM Edited on 12-11-2023 08:37 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes exactly, that's what I want.
The firewall rules are set.
I'm a bit confused by the "_0" in the logs or in the VPN. The S2S VPN does not have this.
Logs:
vd: root/0
name: Remote_location_0
version: 1
interface: wan_fiber 44
addr: own_public_wan_gateway:4500 -> PUBLICIP_REMOTE:58739
tun_id: PUBLICIP_REMOTE/::10.0.14.89
remote_location: 0.0.0.0
network-id: 0
created: 66s ago
peer-id: RemoteLocation
peer-id-auth: yes
nat: peer
IKE SA: created 1/1 established 1/1 time 240/240/240 ms
IPsec SA: created 4/12 established 4/12 time 840/871/990 ms
id/spi: 4053 f759b38f6955d575/291090fe91f66c1d
direction: responder
status: established 66-66s ago = 240ms
proposal: aes256-sha256
key: 0dc86f3c552560e3-b71acb3fdb2f1bda-23926a5fe9fe6fd7-91f5c95022c10393
lifetime/rekey: 28800/28463
DPD sent/recv: 00000000/21f4867a
peer-id: RemoteLocation
8.601955 lan in 192.168.1.197 -> 192.168.101.1: icmp: echo request
8.601974 Remote_location out 192.168.1.197 -> 192.168.101.1: icmp: echo request
13.602983 lan in 192.168.1.197 -> 192.168.101.1: icmp: echo request
13.602991 Remote_location out 192.168.1.197 -> 192.168.101.1: icmp: echo request
18.605171 lan in 192.168.1.197 -> 192.168.101.1: icmp: echo request
18.605188 Remote_location out 192.168.1.197 -> 192.168.101.1: icmp: echo request
2023-12-11 17:24:27 id=65308 trace_id=1 func=print_pkt_detail line=5832 msg="vd-root:0 received a packet(proto=1, 192.168.1.197:1->192.168.101.1:2048) tun_id=0.0.0.0 from lan. type=8, code=0, id=1, seq=128."
2023-12-11 17:24:27 id=65308 trace_id=1 func=init_ip_session_common line=6017 msg="allocate a new session-00df52a5, tun_id=0.0.0.0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_dnat_check line=5453 msg="in-[lan], out-[]"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_dnat_tree_check line=834 msg="len=0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_dnat_check line=5474 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2023-12-11 17:24:27 id=65308 trace_id=1 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-192.168.101.1 via Remote_location"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_fwd_check line=798 msg="in-[lan], out-[Remote_location], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=5, len=2"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-100004 policy-129, ret-matched, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_user_identity_check line=1882 msg="ret-matched"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check line=2382 msg="gnum-4e20, check-ffffffffa002f830"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check line=2399 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2352 msg="policy-129 is matched, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_fwd_check line=835 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-129"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_fwd_auth_check line=864 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-129"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_shaping_check line=962 msg="in-[lan], out-[Remote_location], skb_flags-02000000, vid-0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check line=2382 msg="gnum-100015, check-ffffffffa002e280"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-100015 policy-1, ret-no-match, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-100015 policy-2, ret-no-match, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check line=2399 msg="gnum-100015 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_policy_group_check line=4876 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_reverse_dnat_check line=1334 msg="in-[lan], out-[Remote_location], skb_flags-02000000, vid-0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_central_nat_check line=1357 msg="in-[lan], out-[Remote_location], skb_flags-02000000, vid-0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-10000d policy-4, ret-no-match, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-10000d policy-9, ret-no-match, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2352 msg="policy-0 is matched, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=fw_snat_check line=676 msg="NAT disabled by central SNAT policy!"
2023-12-11 17:24:27 id=65308 trace_id=1 func=fw_forward_handler line=999 msg="Allowed by Policy-129:"
2023-12-11 17:24:27 id=65308 trace_id=1 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Remote_location, tun_id=0.0.0.0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Remote_location_0, tun_id=PUBLICIP_REMOTE, vrf 0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=esp_output4 line=896 msg="IPsec encrypt/auth"
2023-12-11 17:24:27 id=65308 trace_id=1 func=ipsec_output_finish line=629 msg="send to own_public_wan_gateway via intf-wan_fiber"
2023-12-11 17:24:32 id=65308 trace_id=2 func=print_pkt_detail line=5832 msg="vd-root:0 received a packet(proto=1, 192.168.1.197:1->192.168.101.1:2048) tun_id=0.0.0.0 from lan. type=8, code=0, id=1, seq=129."
2023-12-11 17:24:32 id=65308 trace_id=2 func=resolve_ip_tuple_fast line=5920 msg="Find an existing session, id-00df52a5, original direction"
2023-12-11 17:24:32 id=65308 trace_id=2 func=npu_handle_session44 line=1199 msg="Trying to offloading session from lan to Remote_location, skb.npu_flag=00000400 ses.state=00000200 ses.npu_state=0x01040000"
2023-12-11 17:24:32 id=65308 trace_id=2 func=fw_forward_dirty_handler line=446 msg="state=00000200, state2=00000000, npu_state=01040000"
2023-12-11 17:24:32 id=65308 trace_id=2 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Remote_location, tun_id=0.0.0.0"
2023-12-11 17:24:32 id=65308 trace_id=2 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Remote_location_0, tun_id=PUBLICIP_REMOTE, vrf 0"
2023-12-11 17:24:32 id=65308 trace_id=2 func=esp_output4 line=896 msg="IPsec encrypt/auth"
2023-12-11 17:24:32 id=65308 trace_id=2 func=ipsec_output_finish line=629 msg="send to own_public_wan_gateway via intf-wan_fiber"
2023-12-11 17:24:37 id=65308 trace_id=3 func=print_pkt_detail line=5832 msg="vd-root:0 received a packet(proto=1, 192.168.1.197:1->192.168.101.1:2048) tun_id=0.0.0.0 from lan. type=8, code=0, id=1, seq=130."
2023-12-11 17:24:37 id=65308 trace_id=3 func=resolve_ip_tuple_fast line=5920 msg="Find an existing session, id-00df52a5, original direction"
2023-12-11 17:24:37 id=65308 trace_id=3 func=npu_handle_session44 line=1199 msg="Trying to offloading session from lan to Remote_location, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x01040000"
2023-12-11 17:24:37 id=65308 trace_id=3 func=ip_session_install_npu_session line=357 msg="npu session installation succeeded"
2023-12-11 17:24:37 id=65308 trace_id=3 func=fw_forward_dirty_handler line=446 msg="state=00010200, state2=00000000, npu_state=01000400"
2023-12-11 17:24:37 id=65308 trace_id=3 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Remote_location, tun_id=0.0.0.0"
2023-12-11 17:24:37 id=65308 trace_id=3 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Remote_location_0, tun_id=PUBLICIP_REMOTE, vrf 0"
2023-12-11 17:24:37 id=65308 trace_id=3 func=esp_output4 line=896 msg="IPsec encrypt/auth"
2023-12-11 17:24:37 id=65308 trace_id=3 func=ipsec_output_finish line=629 msg="send to own_public_wan_gateway via intf-wan_fiber"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The traffic was entering the Remote_location tunnel correctly. There is no drops. Make sure the Windows firewall is not dropping the traffic on 192.168.101.1. You can also run packet captures on 192.168.101.1 to see if it receives icmp requests or not.
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It also does not work if the Windows firewall is deactivated.
The PING command on the Fortigate directly does not work either.
FortiGate-201F # execute ping 192.168.101.1
PING 192.168.101.1 (192.168.101.1): 56 data bytes
--- 192.168.101.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
Unfortunately, I have no direct access to 192.168.101.1.
With the old firewall it worked without any problems. It stopped working since I switched to the Fortigate.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I mentioned, the sniffer is telling us that ICMP requests are going through the tunnel but no response. We need to run packet captures on 192.168.101.1 to see if it is receiving the traffic or not.
Remote_location out 192.168.1.197 -> 192.168.101.1: icmp: echo request
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I wrote, I unfortunately have no direct access to the other side.
Nothing has changed on the other side.
Only my hardware.
Is there anything else I can check?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I observe is that very rarely does a ping reach the target. But very, very rarely.
Maybe it's a problem that the router that dials in is behind another router.
192.168.101.1 reaches the Internet via 192.168.0.46 or 192.168.0.1.
Do I have to take this into account somehow?
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiGate configuration for FortiPAM Gateway 140 Views
- FortiAP 231F not connecting to FG 403 Views
- FortiAP offline/disconnected 313 Views
- How to route ougoing FG traffic... 195 Views
- no traffic in IPSEC vpn tunnel... 248 Views
Labels
-
FortiGate
7,038 -
FortiClient
1,389 -
5.2
801 -
5.4
639 -
FortiManager
610 -
FortiAnalyzer
446 -
6.0
416 -
FortiAP
369 -
FortiSwitch
368 -
5.6
362 -
FortiClient EMS
286 -
FortiMail
272 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
172 -
6.4
128 -
FortiNAC
123 -
FortiGuard
112 -
IPsec
104 -
FortiGateCloud
94 -
SSL-VPN
94 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
48 -
FortiADC
45 -
Fortivoice
44 -
SD-WAN
43 -
FortiEDR
42 -
FortiDNS
37 -
FortiExtender
36 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiAuthenticator
32 -
FortiSwitch v6.4
32 -
Firewall policy
32 -
VLAN
28 -
High Availability
28 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
DNS
21 -
FortiConverter
21 -
BGP
19 -
FortiGate v5.2
19 -
Certificate
19 -
SAML
18 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
VDOM
16 -
FortiMonitor
14 -
Authentication
14 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
Interface
14 -
FortiDDoS
14 -
Logging
14 -
Routing
13 -
FortiCASB
12 -
RADIUS
11 -
NAT
11 -
Web profile
11 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
Application control
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
WAN optimization
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
Admin
7 -
4.0
7 -
Proxy policy
6 -
Security profile
6 -
Traffic shaping policy
6 -
Static route
6 -
FortiDirector
5 -
IPS signature
5 -
Packet capture
5 -
FortiAP profile
5 -
Automation
5 -
FortiManager v4.0
5 -
FortiDeceptor
4 -
Antivirus profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
Web rating
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
System settings
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
FortiDB
3 -
Intrusion prevention
3 -
Protocol option
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
FortiAI
2 -
Application signature
2 -
VoIP profile
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
4.0MR1
1 -
TACACS
1 -
Subscription Renewal Policy
1 -
Replacement messages
1 -
FortiCWP
1 -
FortiNDR
1 -
Schedule
1 -
SDN connector
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
DLP sensor
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1041 | |
| 862 | |
| 512 | |
| 441 | |
| 146 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.