Hello,
a remote site dials into my Fortigate via Custom VPN. The connection is also established.
Unfortunately, the remote addresses are not reachable.
What could be the reason for this?
The static routes are set and the policies are also set up.
Another site-to-site VPN works.
192.168.101.0/24 = Remote Dial Up Network
192.168.25.0/24 = Remote Site to Site VPN Network
Configuration:edit "Remote_location"
set type dynamic
set interface "wan_fiber"
set keylife 28800
set mode aggressive
set peertype one
set net-device disable
set proposal aes256-sha256
set localid "DialInLocation"
set dhgrp 5
set peerid "RemoteLocation"
set psksecret ENC PSK
set dpd-retryinterval 60
next
edit "Remote_location"
set phase1name "Remote_location"
set proposal aes256-sha256
set pfs disable
set src-addr-type name
set dst-addr-type name
set keylifeseconds 28800
set src-name "HomeLocation_subnets"
set dst-name "Remote_subnets"
next
Routing table for VRF=0
S *> 0.0.0.0/0 [10/0] via own_public_wan_gateway, wan_glasfaser, [100/0]
C *> own_public_wan_network/29 is directly connected, wan_fiber
C *> 192.168.1.0/24 is directly connected, lan
S 192.168.25.0/24 [254/0] is a summary, Null, [1/0]
S *> 192.168.25.0/24 [10/0] via Site-To-Site_VPN tunnel PUBLICIP_REMOTE_S2S, [1/0]
S 192.168.101.0/24 [15/0] via Remote_location tunnel PUBLICIP_REMOTE, [1/0]
S 192.168.101.0/24 [254/0] is a summary, Null, [1/0]
S *> 192.168.101.0/24 [10/0] is directly connected, Remote_location, [1/0]
Routing table for VRF=0
Routing entry for 192.168.101.0/24
Known via "static", distance 15, metric 0
via Remote_location tunnel PUBLICIP_REMOTE vrf 0, tun_id
Routing entry for 192.168.101.0/24
Known via "static", distance 254, metric 0
directly connected, Null
Routing entry for 192.168.101.0/24
Known via "static", distance 10, metric 0, best
* directly connected, Remote_location
Routing table for VRF=0
Routing entry for 192.168.25.0/24
Known via "static", distance 254, metric 0
directly connected, Null
Routing entry for 192.168.25.0/24
Known via "static", distance 10, metric 0, best
* via S2S_VPN tunnel PUBLICIP_REMOTE_S2S vrf 0, tun_id
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Can you confirm that on the DialUP site that connects to your FGT, the route towards 192.168.25.0/24 is being installed in the routing table ?
Also, on your FGT to the remote S2S VPN, in phase-2 params do you have the network for 192.168.101.0/24 marked for the encrypt/interesting traffic or if it's all 0.0.0.0/0 for src/dst does the S2S remote device have a route back to the DialUP network back to your FGT ?
As for the rules, you should have something like src intf DialUP , dst intf S2S , src addr <> , dst addr <> , something similar on the remote site from src intf S2S, etc.
The route between 192.168.25.0/24 and my lan is working. This is the S2S VPN.
the problem is at 192.168.101.0/24
The Fortigate is a new arrival. The VPN previously worked with a different router. Nothing has been changed on the remote side since then.
Only with the Fortigate does the Dial Up VPN no longer work correctly.
Hi @HKMB,
So you want your LAN 192.168.1.0/24 to be able to reach dialup users 192.168.101.0/24? You don't need a static route for that, once dialup users connect to the VPN, the route to 192.168.101.0/24 will be activated. Do you have a firewall policy to allow traffic from LAN to the dialup tunnel? You can run debug flows to see if the traffic is being dropped. Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Regards,
Created on 12-11-2023 08:35 AM Edited on 12-11-2023 08:37 AM
Yes exactly, that's what I want.
The firewall rules are set.
I'm a bit confused by the "_0" in the logs or in the VPN. The S2S VPN does not have this.
Logs:
vd: root/0
name: Remote_location_0
version: 1
interface: wan_fiber 44
addr: own_public_wan_gateway:4500 -> PUBLICIP_REMOTE:58739
tun_id: PUBLICIP_REMOTE/::10.0.14.89
remote_location: 0.0.0.0
network-id: 0
created: 66s ago
peer-id: RemoteLocation
peer-id-auth: yes
nat: peer
IKE SA: created 1/1 established 1/1 time 240/240/240 ms
IPsec SA: created 4/12 established 4/12 time 840/871/990 ms
id/spi: 4053 f759b38f6955d575/291090fe91f66c1d
direction: responder
status: established 66-66s ago = 240ms
proposal: aes256-sha256
key: 0dc86f3c552560e3-b71acb3fdb2f1bda-23926a5fe9fe6fd7-91f5c95022c10393
lifetime/rekey: 28800/28463
DPD sent/recv: 00000000/21f4867a
peer-id: RemoteLocation
8.601955 lan in 192.168.1.197 -> 192.168.101.1: icmp: echo request
8.601974 Remote_location out 192.168.1.197 -> 192.168.101.1: icmp: echo request
13.602983 lan in 192.168.1.197 -> 192.168.101.1: icmp: echo request
13.602991 Remote_location out 192.168.1.197 -> 192.168.101.1: icmp: echo request
18.605171 lan in 192.168.1.197 -> 192.168.101.1: icmp: echo request
18.605188 Remote_location out 192.168.1.197 -> 192.168.101.1: icmp: echo request
2023-12-11 17:24:27 id=65308 trace_id=1 func=print_pkt_detail line=5832 msg="vd-root:0 received a packet(proto=1, 192.168.1.197:1->192.168.101.1:2048) tun_id=0.0.0.0 from lan. type=8, code=0, id=1, seq=128."
2023-12-11 17:24:27 id=65308 trace_id=1 func=init_ip_session_common line=6017 msg="allocate a new session-00df52a5, tun_id=0.0.0.0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_dnat_check line=5453 msg="in-[lan], out-[]"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_dnat_tree_check line=834 msg="len=0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_dnat_check line=5474 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2023-12-11 17:24:27 id=65308 trace_id=1 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-192.168.101.1 via Remote_location"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_fwd_check line=798 msg="in-[lan], out-[Remote_location], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=5, len=2"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-100004 policy-129, ret-matched, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_user_identity_check line=1882 msg="ret-matched"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check line=2382 msg="gnum-4e20, check-ffffffffa002f830"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check line=2399 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2352 msg="policy-129 is matched, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_fwd_check line=835 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-129"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_fwd_auth_check line=864 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-129"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_shaping_check line=962 msg="in-[lan], out-[Remote_location], skb_flags-02000000, vid-0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check line=2382 msg="gnum-100015, check-ffffffffa002e280"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-100015 policy-1, ret-no-match, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-100015 policy-2, ret-no-match, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check line=2399 msg="gnum-100015 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_policy_group_check line=4876 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_reverse_dnat_check line=1334 msg="in-[lan], out-[Remote_location], skb_flags-02000000, vid-0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=iprope_central_nat_check line=1357 msg="in-[lan], out-[Remote_location], skb_flags-02000000, vid-0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-10000d policy-4, ret-no-match, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-10000d policy-9, ret-no-match, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2119 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=__iprope_check_one_policy line=2352 msg="policy-0 is matched, act-accept"
2023-12-11 17:24:27 id=65308 trace_id=1 func=fw_snat_check line=676 msg="NAT disabled by central SNAT policy!"
2023-12-11 17:24:27 id=65308 trace_id=1 func=fw_forward_handler line=999 msg="Allowed by Policy-129:"
2023-12-11 17:24:27 id=65308 trace_id=1 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Remote_location, tun_id=0.0.0.0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Remote_location_0, tun_id=PUBLICIP_REMOTE, vrf 0"
2023-12-11 17:24:27 id=65308 trace_id=1 func=esp_output4 line=896 msg="IPsec encrypt/auth"
2023-12-11 17:24:27 id=65308 trace_id=1 func=ipsec_output_finish line=629 msg="send to own_public_wan_gateway via intf-wan_fiber"
2023-12-11 17:24:32 id=65308 trace_id=2 func=print_pkt_detail line=5832 msg="vd-root:0 received a packet(proto=1, 192.168.1.197:1->192.168.101.1:2048) tun_id=0.0.0.0 from lan. type=8, code=0, id=1, seq=129."
2023-12-11 17:24:32 id=65308 trace_id=2 func=resolve_ip_tuple_fast line=5920 msg="Find an existing session, id-00df52a5, original direction"
2023-12-11 17:24:32 id=65308 trace_id=2 func=npu_handle_session44 line=1199 msg="Trying to offloading session from lan to Remote_location, skb.npu_flag=00000400 ses.state=00000200 ses.npu_state=0x01040000"
2023-12-11 17:24:32 id=65308 trace_id=2 func=fw_forward_dirty_handler line=446 msg="state=00000200, state2=00000000, npu_state=01040000"
2023-12-11 17:24:32 id=65308 trace_id=2 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Remote_location, tun_id=0.0.0.0"
2023-12-11 17:24:32 id=65308 trace_id=2 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Remote_location_0, tun_id=PUBLICIP_REMOTE, vrf 0"
2023-12-11 17:24:32 id=65308 trace_id=2 func=esp_output4 line=896 msg="IPsec encrypt/auth"
2023-12-11 17:24:32 id=65308 trace_id=2 func=ipsec_output_finish line=629 msg="send to own_public_wan_gateway via intf-wan_fiber"
2023-12-11 17:24:37 id=65308 trace_id=3 func=print_pkt_detail line=5832 msg="vd-root:0 received a packet(proto=1, 192.168.1.197:1->192.168.101.1:2048) tun_id=0.0.0.0 from lan. type=8, code=0, id=1, seq=130."
2023-12-11 17:24:37 id=65308 trace_id=3 func=resolve_ip_tuple_fast line=5920 msg="Find an existing session, id-00df52a5, original direction"
2023-12-11 17:24:37 id=65308 trace_id=3 func=npu_handle_session44 line=1199 msg="Trying to offloading session from lan to Remote_location, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x01040000"
2023-12-11 17:24:37 id=65308 trace_id=3 func=ip_session_install_npu_session line=357 msg="npu session installation succeeded"
2023-12-11 17:24:37 id=65308 trace_id=3 func=fw_forward_dirty_handler line=446 msg="state=00010200, state2=00000000, npu_state=01000400"
2023-12-11 17:24:37 id=65308 trace_id=3 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Remote_location, tun_id=0.0.0.0"
2023-12-11 17:24:37 id=65308 trace_id=3 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Remote_location_0, tun_id=PUBLICIP_REMOTE, vrf 0"
2023-12-11 17:24:37 id=65308 trace_id=3 func=esp_output4 line=896 msg="IPsec encrypt/auth"
2023-12-11 17:24:37 id=65308 trace_id=3 func=ipsec_output_finish line=629 msg="send to own_public_wan_gateway via intf-wan_fiber"
The traffic was entering the Remote_location tunnel correctly. There is no drops. Make sure the Windows firewall is not dropping the traffic on 192.168.101.1. You can also run packet captures on 192.168.101.1 to see if it receives icmp requests or not.
Regards,
It also does not work if the Windows firewall is deactivated.
The PING command on the Fortigate directly does not work either.
FortiGate-201F # execute ping 192.168.101.1
PING 192.168.101.1 (192.168.101.1): 56 data bytes
--- 192.168.101.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
Unfortunately, I have no direct access to 192.168.101.1.
With the old firewall it worked without any problems. It stopped working since I switched to the Fortigate.
As I mentioned, the sniffer is telling us that ICMP requests are going through the tunnel but no response. We need to run packet captures on 192.168.101.1 to see if it is receiving the traffic or not.
Remote_location out 192.168.1.197 -> 192.168.101.1: icmp: echo request
Regards,
As I wrote, I unfortunately have no direct access to the other side.
Nothing has changed on the other side.
Only my hardware.
Is there anything else I can check?
What I observe is that very rarely does a ping reach the target. But very, very rarely.
Maybe it's a problem that the router that dials in is behind another router.
192.168.101.1 reaches the Internet via 192.168.0.46 or 192.168.0.1.
Do I have to take this into account somehow?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1529 | |
1027 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.