Hi All!
I'm testing security fabric and I'm having some trouble to get it working. I have set up my core and a branch FGs to work with security fabric, through an IPSec tunnel. The interfaces are configured as many documentations on the web and I see the packets comming from branch with IP of core firewall, on destination port 8013. The thing is that my core firewall does not respond to these packets.
I've searched for troubleshooting commands, but they are few and not that useful.
Additionally: is it REQUIRED to have IP Address on the IPSec interface? Because I do not see why it should be required.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Did you run diag debug flow to see why the core FG is not responding ?
I don't know which documentation did you follow but here is an example:
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/75456/configuring-tunnel-interfaces
I think an IP address is required on the IPSEC interface because the fortigate itself is initiating traffic and it needs an IP on the tunnel interface to be able to communicate.
Hello, Hatimux!
Actually, I did a sniffing analysys and discovered that the mu branch FG was sending the packets with the Wan IP Address as the source-addr. I added this address on my phase 2 configuration and it didn't succeeded.
It only worked when I configured IP addresses in the IPSec interface in both sides, in a lab enviroment. It seems that yes, it is mandatory. This is a sad thing, because we do not use addresses on our IPSec interfaces normally, as it is not needed for traffic to flow.
Fortinet could handle this by giving an option to change de source address, as we have, for example,
LDAP or RADIUS server.
I normally create a loopback interface on the core FGT, create an allow policy from VPN to loopback on the core, then ensure the remote sites have routes to this loopback via the VPN, then have a SDWAN rule on the remote sites to send the loopback traffic via the VPN/SDWAN overlay.
This will still need IP addresses on the IPSEC VPNs, but if you're doing dialup VPNs you can use mode-config and have the branch offices get an IP address automatically so you don't have to manage them.
The thing is that we are not intending to configure ip addresses on the IPSec interfaces of all equipments we have. We do not use dial up VPN's but as well we would need to have an effort on configuring the interface adddresses, and that is something I was trying to avoid.
It is a good ideia to have a loopback interface for that. May Fortinet has an reason to not allow this traffic with no addresses. Who knows...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1558 | |
1033 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.