Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fto
New Contributor

Created on ‎01-15-2015 10:33 AM

Routing issue over wan

Hi all

 

I am wondering if someone can point me in the right direction here.

I have two Fortigates connected via ipsec vpn.

 

Site B's internal interface is 192.168.3.0/24 , wifi is 10.1.2.0/24

Site A's internal interface is 192.168.2.0/24

 

I have setup firewall policies and static routes for these ip ranges to the VPN objects in each Fortigate.

Clients on the internal interfaces can ping / communicate with the other sides internal interface, but clients on the Site B's wifi cannot.

I have also updated the remote subnet address group to include the 10.1.2.0/24 in site A's firewall policy

 

Would this be because in my vpn tunnel phase 2 I have specified the local and remote ip ranges instead of using 0.0.0.0/0 ?

 

A tracert from Site B's wifi to Site A's internal will show the first hop as hitting the wifi interface ip at site B , then nothing

 

Thanks for any assistance

 

4358
0 Kudos
1 Solution
hklb
Contributor II

Created on ‎01-15-2015 10:38 AM

Did you specify the both subnet in quick mode selector (you can create 2 phase2) ? you should have:

192.168.2.0/24 - 192.168.3.0/24

192.168.2.0/24 - 10.1.2.0/24

 

Lucas

View solution in original post

2638
0 Kudos
5 REPLIES 5
hklb
Contributor II

Created on ‎01-15-2015 10:38 AM

Did you specify the both subnet in quick mode selector (you can create 2 phase2) ? you should have:

192.168.2.0/24 - 192.168.3.0/24

192.168.2.0/24 - 10.1.2.0/24

 

Lucas

2639
0 Kudos
Fto
New Contributor

Created on ‎01-15-2015 11:09 AM

Hi Lucas

 

No I didn't, I am guessing this is the cause of my issue.

I am unable to add a second phase 2 selector in the web gui by the looks without redoing the vpn setup.

Am I able to just edit the phase 2 in CLI and change it from specified ip ranges to 0.0.0.0/0 and expect it to behave?

 

Thanks

 

2600
0 Kudos
hklb
Contributor II

Created on ‎01-15-2015 12:56 PM

Which firmware do you use ?

 

you can create the second phase2-interface in CLI (config vpn ipsec phase2-interface, and copy your first phase2 configuration)

2599
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎01-16-2015 12:44 AM

And you should beable to craft the 2nd phaseintf and bind it to the named phase1.  What the previous poster stated is what I find the easiest. use the cli and copy the 1st phase2-cfg, rename it xxxxx-002 and change the appropiate  src/dst subnet and paste it in.

 

Than your diag debug vpn tunnel list name <xyz> will show the  additional  phase2 statistics.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2599
0 Kudos
Fto
New Contributor
In response to emnoc

Created on ‎01-18-2015 09:55 AM

Thanks all

 

I edited the phase 2 vpn and used unset , to unset the ip ranges, this took them back to 0.0.0.0/0, and it is now working as expected

 

 

2599
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.