Hello,
I struggle with a site-to-site VPN tunnel between 2 locations. I use Watchguard Firebox XM200 and Fortigate 30E. It looks like this:
WatchGuard 192.168.0.1 (or 1.1) ----------> net ------------> Fortigate 30E 10.113.14.1
Traffic goes only from 192.168.0.1 to 10.113.14.1, the opposite site doesn't work at all, I cannot even ping anything. The better explanation below:
Here is the setup from FGT:
And here is Watchguard:
BOVPN Gateway Settings: T Tunnels: T IKE Version: IKEv1 Credential Method: Pre-shared Key Endpoints Endpoint 1 Local Interface: WAN-FC_ Local ID: 77. (IP Address) Remote IP Address: 91. Remote ID: 91. (Domain Name) (when set as IP address it gives ID error) Phase 1 Settings Mode: Main NAT Traversal: Disabled IKE Keep-alive: Disabled Dead Peer Detection: Enabled (20 second timeout, 5 max retries) Auto Start: Yes Transforms Transform: 1 Authentication: MD5 Encryption: DES SA Life: 24 hours Key Group: Diffie-Hellman Group 5 BOVPN Tunnel Settings: T BOVPN Gateway: T Tunnel Routes Route 1 Local: Any Remote: 10.113.14.0/24 Direction: bi-directional Allow Broadcast: No Route 2 Local: Any Remote: 10.10.6.0/26 Direction: bi-directional Allow Broadcast: No Route 3 Local: Any Remote: 10.10.6.128/28 Direction: bi-directional Allow Broadcast: No Phase 2 Settings Perfect Forward Secrecy: Enabled (Diffie-Hellman Group 14) IPSec Proposals Proposal 1 Name: ESP-DES-MD5 Type: ESP Authentication: MD5 Encryption: DES Key Expiration: 8 hours Multicast Settings Multicast over tunnel: Disabled Origination IP: Group IP: Send multicast traffic on: Receive multicast traffic on: Helper Addresses Local IP: Remote IP: And of course Any policy on firewall both sides (allow.in & allow.out). Here is how it works: there are no VPN tunnel errors, tunnels are up, I have full access from Watchguard to Fortigate, all ports and protocols, but from the other side I can't even ping 192.168.0.1 or 192.168.1.1. In Fortiview I can see that packets go to RA tunnel, but I cannot see anything coming at Watchguards Traffic Monitor. I desperately need help!
Thanks for quick reply! I've just defined it as 192.168.0.0/24, tunnel is up, but still no traffic from one side:
Pinging 10.113.14.150 from 192.168.0.40 and opposite site:
In addition:
Destination interface is RA_DC interface tunnel, so this one looks fine, but there is no trace of these packets on WatchGuard traffic monitor (log on both in & out firewall policies is on).
There is no static route on Watchguard, but I have like 10 tunnels active and they work just fine without it. Policies on watchguard look like this:
VPN tunell -----> any
any -----> VPN tunell
Every port and protocol. I tried different things, but still no luck :(
Adding static route on WatchGuard looks like this:
So it's a static route for outgoing traffic, but this one already works. On Fortigate it looks like this:
Remote subnet address pool consist 192.168.0.0/16. Adding this route allowed traffic from WG to FGT
Hi,
Thanks for the replies!
@ashik I'd love to give you that access, but it's a corporate network and I'd get fired the very next day :( But, thank you for your will to help, I really appreciate it!
@Prab
The results shocked me:
Thanks for the advice! It looks like the FGT settings are the problem since they block traffic from LAN hosts. Can you give me an idea what can be wrong? Both firewall policies look like this:
(vlan group) --> tunnel address
tunnel address --> (vlan group)
[pictures in my first post]
EDIT:
Gentelman, I finally solved it. I just needed to turn off NAT in FGT firewall policy settings. Works like a charm!
Thank you very much for your help!
I can't believe it was THAT easy and I couldn't figure it out for a few days.
