[SOLVED] VPN site to site and ping

waaalex · ‎07-23-2015

Hello all,

I've got a VPN site to site.

I had policies to join another network, VPN is up, everything seems to be ok and i can RDP a remote PC.

But ping doeens't work.

In debug, i see that only on "start" router, nothing on remote router. tracert show me that ping does not pass through ipsec...

log tracert

id=20085 trace_id=91 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=17, 10.0.5.71:137->200.200.4.12:137) from port1. "
id=20085 trace_id=91 func=init_ip_session_common line=4517 msg="allocate a new session-005e8fd0"
id=20085 trace_id=91 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-XX.XX.XX.XX via wan1"
id=20085 trace_id=91 func=fw_forward_handler line=554 msg="Denied by forward policy check (policy 0)"

log ping

id=20085 trace_id=122 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=1, 10.0.5.151:1->200.200.4.12:8) from port1. code=8, type=0, id=1, seq=539."
id=20085 trace_id=122 func=resolve_ip_tuple_fast line=4427 msg="Find an existing session, id-005eef10, original direction"
id=20085 trace_id=122 func=ipv4_fast_cb line=50 msg="enter fast path"
id=20085 trace_id=122 func=ip_session_run_all_tuple line=5489 msg="SNAT 10.0.5.151->XX.XX.XX.XX:62464"

I'm missing something but what?

Thank you.

Paul_S · ‎07-23-2015

are you certain ICMP is allowed in the policy? If you have all in the policy try adding TCP/UDP/ICMP and see what happens.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+

waaalex · ‎07-24-2015

Paul S wrote:
are you certain ICMP is allowed in the policy? If you have all in the policy try adding TCP/UDP/ICMP and see what happens.

Thank you for your answer.

Yes ICMP is allowed, i've allowed PING service which ICMP type 8 protocol.

I don't have a TCP/UDP/ICMP but i have TCP/UDP/SCTP.

Note : Start router is a forti 100D and remote is a 30D.

Ping is ok for other remote network but not on network that i've added.

Chura · ‎07-24-2015

can you run diag sniffer packet on the remote site ?

if the debug above is from the sending FW, its going out.

//Chura CCIE, NSE7, CCSE+

waaalex · ‎07-24-2015

Chura wrote:
can you run diag sniffer packet on the remote site ?
if the debug above is from the sending FW, its going out.

I launched this command but do not see any icmp protocol for the remote network.

When i run a tracert, it do not go through vpn, it's going out there and lost.

I have retest rdp and it's working well.

80/443 is also working.

Chura · ‎07-24-2015

tracert is being denied, so you won't see it go anywhere.

Please run diag sniffer packet any 'icmp'

you maybe missing the ICMP becuase its being NAT Translated.

P.S, why do you NAT between VPN networks ? its no the best practice.

Unless its a must due to network design, I highly recommend disabling this and add the relevant routing.

//Chura CCIE, NSE7, CCSE+

waaalex · ‎07-24-2015

Chura wrote:
tracert is being denied, so you won't see it go anywhere.
Please run diag sniffer packet any 'icmp'
you maybe missing the ICMP becuase its being NAT Translated.

P.S, why do you NAT between VPN networks ? its no the best practice.
Unless its a must due to network design, I highly recommend disabling this and add the relevant routing.

Thanks, i can see echo request from source router but nothing on remote router.

I did not configured NAT between vpn it's our IT provider. Where can you see that nat is configured?

I'm not an expert with Fortinet ^^

On all other vpn networks it work. I will ask our provider why he have configured nat on VPN. i can't change it.

Chura · ‎07-24-2015

id=20085 trace_id=122 func=ip_session_run_all_tuple line=5489 msg="SNAT 10.0.5.151->XX.XX.XX.XX:62464"

//Chura CCIE, NSE7, CCSE+

emnoc · ‎07-24-2015

FWIW; if the pings and traceroute are from the vpn-firewall, you may need to source then to use the VPN ipsec-tunnel

use the following;

execute ping-options source

the pings are probably going out the public interface of the WAN and not over the ipsec-path. If you used a ipsec-tunnel interface ( phase1-interface ) than you can dump on the tunnelname in your diagnostic sniffer packet <insert tunnel name> "icmp"

To double check. I hope this helps

Ken

PCNSE

NSE

StrongSwan

waaalex · ‎07-24-2015

emnoc wrote:
FWIW; if the pings and traceroute are from the vpn-firewall, you may need to source then to use the VPN ipsec-tunnel
use the following;
execute ping-options source
the pings are probably going out the public interface of the WAN and not over the ipsec-path. If you used a ipsec-tunnel interface ( phase1-interface ) than you can dump on the tunnelname in your diagnostic sniffer packet <insert tunnel name> "icmp"
To double check. I hope this helps
Ken

Hello,

Command execute ping-options source made nothing.

i already have executed sniffer packet. From source, i can see icmp request. On the remote nothing.

And yes, when i do a tracert to see where ping is going, it does not pass through vpn.. and RDP is ok.. It's very strange.

Note that i can ping machines on antoher network via the same VPN. I don't know if the problem comes from policy or from vpn.