Hi all
I am wondering if someone can point me in the right direction here.
I have two Fortigates connected via ipsec vpn.
Site B's internal interface is 192.168.3.0/24 , wifi is 10.1.2.0/24
Site A's internal interface is 192.168.2.0/24
I have setup firewall policies and static routes for these ip ranges to the VPN objects in each Fortigate.
Clients on the internal interfaces can ping / communicate with the other sides internal interface, but clients on the Site B's wifi cannot.
I have also updated the remote subnet address group to include the 10.1.2.0/24 in site A's firewall policy
Would this be because in my vpn tunnel phase 2 I have specified the local and remote ip ranges instead of using 0.0.0.0/0 ?
A tracert from Site B's wifi to Site A's internal will show the first hop as hitting the wifi interface ip at site B , then nothing
Thanks for any assistance
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Did you specify the both subnet in quick mode selector (you can create 2 phase2) ? you should have:
192.168.2.0/24 - 192.168.3.0/24
192.168.2.0/24 - 10.1.2.0/24
Lucas
Did you specify the both subnet in quick mode selector (you can create 2 phase2) ? you should have:
192.168.2.0/24 - 192.168.3.0/24
192.168.2.0/24 - 10.1.2.0/24
Lucas
Hi Lucas
No I didn't, I am guessing this is the cause of my issue.
I am unable to add a second phase 2 selector in the web gui by the looks without redoing the vpn setup.
Am I able to just edit the phase 2 in CLI and change it from specified ip ranges to 0.0.0.0/0 and expect it to behave?
Thanks
Which firmware do you use ?
you can create the second phase2-interface in CLI (config vpn ipsec phase2-interface, and copy your first phase2 configuration)
And you should beable to craft the 2nd phaseintf and bind it to the named phase1. What the previous poster stated is what I find the easiest. use the cli and copy the 1st phase2-cfg, rename it xxxxx-002 and change the appropiate src/dst subnet and paste it in.
Than your diag debug vpn tunnel list name <xyz> will show the additional phase2 statistics.
PCNSE
NSE
StrongSwan
Thanks all
I edited the phase 2 vpn and used unset , to unset the ip ranges, this took them back to 0.0.0.0/0, and it is now working as expected
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.