Hello,
I struggle with a site-to-site VPN tunnel between 2 locations. I use Watchguard Firebox XM200 and Fortigate 30E. It looks like this:
WatchGuard 192.168.0.1 (or 1.1) ----------> net ------------> Fortigate 30E 10.113.14.1
Traffic goes only from 192.168.0.1 to 10.113.14.1, the opposite site doesn't work at all, I cannot even ping anything. The better explanation below:
Here is the setup from FGT:
And here is Watchguard:
BOVPN Gateway Settings: T Tunnels: T IKE Version: IKEv1 Credential Method: Pre-shared Key Endpoints Endpoint 1 Local Interface: WAN-FC_ Local ID: 77. (IP Address) Remote IP Address: 91. Remote ID: 91. (Domain Name) (when set as IP address it gives ID error) Phase 1 Settings Mode: Main NAT Traversal: Disabled IKE Keep-alive: Disabled Dead Peer Detection: Enabled (20 second timeout, 5 max retries) Auto Start: Yes Transforms Transform: 1 Authentication: MD5 Encryption: DES SA Life: 24 hours Key Group: Diffie-Hellman Group 5 BOVPN Tunnel Settings: T BOVPN Gateway: T Tunnel Routes Route 1 Local: Any Remote: 10.113.14.0/24 Direction: bi-directional Allow Broadcast: No Route 2 Local: Any Remote: 10.10.6.0/26 Direction: bi-directional Allow Broadcast: No Route 3 Local: Any Remote: 10.10.6.128/28 Direction: bi-directional Allow Broadcast: No Phase 2 Settings Perfect Forward Secrecy: Enabled (Diffie-Hellman Group 14) IPSec Proposals Proposal 1 Name: ESP-DES-MD5 Type: ESP Authentication: MD5 Encryption: DES Key Expiration: 8 hours Multicast Settings Multicast over tunnel: Disabled Origination IP: Group IP: Send multicast traffic on: Receive multicast traffic on: Helper Addresses Local IP: Remote IP: And of course Any policy on firewall both sides (allow.in & allow.out). Here is how it works: there are no VPN tunnel errors, tunnels are up, I have full access from Watchguard to Fortigate, all ports and protocols, but from the other side I can't even ping 192.168.0.1 or 192.168.1.1. In Fortiview I can see that packets go to RA tunnel, but I cannot see anything coming at Watchguards Traffic Monitor. I desperately need help!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
ITadm wrote:One last strange thing, on policy .in on FGT NAT has to be ON while on policy .out it has to be OFF and then it works properly. When I turn off NAT on policy .in I can ping 50% of workstations in the same VLAN. I have to learn more to understand it :D
Thank you and Best Regards!
Hi ITAdm,
Congratulations that you resolved the issue.
Regarding NAT, you might consider and review the complete network setup. Configuring NAT on the gateway is not all what you need. Review the configuration of the network clients too. Some times the gateway is configured properly but the clients or the remote firewall is mis-configured. Also, do not forget that client machine have in-built firewalls too. eg: Windows machines with windows firewall, also blocks a lot of stuff by default. ;)
you could use the following command on FGT's CLI to confirm if the NAT is performed properly:
diagnose sys session list
Hope it helps!
Prab
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.