Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
matteocostanzo
New Contributor II

See network to another fortinet VPN

With Fortinet is it possible to see a network of an ipsec VPN configured on another fortinet??

obviously between the two fortnets I have an ipsec VPN available.

I would like from network x to see network y which is in VPN on the fortinet which is not my gateway but another fortinet.

is it possible??

network x to network y.png

1 Solution
knagaraju
Staff
Staff


Error is "No matching IPsec selector, drop" Which means the below IP subnets are not added as local subnets and remote subnets in phase 2 selectors of IPsec tunnel VersoAzureHA

10.80.218.32:1->192.168.50.241 from WiFi-Office. type=8, code=0

Please add the above subnets as local subnets and remote subnets in phase 2 selectors on both ends of the tunnels.

View solution in original post

9 REPLIES 9
AEK
SuperUser
SuperUser

Add firewall rull:

    - source: ssl-vpn

    - destination: ipsec / network y

Configure your ssl-vpn setting to push to your vpn clients an additional route to network Y.

 

AEK
AEK
matteocostanzo
New Contributor II

I am not using vpn ssl client but all ipsec tunnel. Is it possible to route the thing with this setup? the first firewall routes traffic to the second but the second doesn't seem to get anything to route back. Even if the vpn is active.

knagaraju
Staff
Staff

Hello Matteocostanzo,

On FGT2 may I know if you have the routes and policies in place?
Also please make sure NAT is disabled in the firewall policies.
Since the tunnel is up. There are only two possible things that you need to look into

1. Firewall policy.
2. Route.

Please take debug on FGT2 to see what is happening.

matteocostanzo

Unfortunately I'm new to the Fortinet world.
I've come from years and years of watchguarding.
but now i have to use fortinet.

I'm sure in the policies I have disabled NAT.
I also wrote the static routes.

but i don't understand how to see the log.

can you help me. in watchguard there is a screen where I see all the traffic passing through the device there is something similar in fortinet. ??

knagaraju
Staff
Staff

Below are the debug commands which are to be executed in fortigate cli. 

# diagnose debug reset

# diagnose debug flow filter saddr x.x.x.x
# diagnose debug flow filter daddr y.y.y.y

# diagnose debug flow show function-name enable

# diagnose debug flow trace start 100
#diagnose debug enable

NOTE: x.x.x.x is the source ip address and y.y.y.y is the destination ip address

Please disable the debugs with the below commands
diagnose debug disable
diagnose debug reset

matteocostanzo

very nice.
exactly that.

if from PC X I ping PC Y
I found that I stop at the first firewall (FW A).

this is the log. what am I doing wrong ??

 

id=65308 trace_id=10 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=1, 10.80.218.32:1->192.168.50.241:2048) tun_id=0.0.0.0 from WiFi-Office. type=8, code=0, id=1, seq=457."
id=65308 trace_id=10 func=resolve_ip_tuple_fast line=5956 msg="Find an existing session, id-00580112, original direction"
id=65308 trace_id=10 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=10 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface VersoAzureHA, tun_id=0.0.0.0"
id=65308 trace_id=10 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel VersoAzureHA vrf 0"
id=65308 trace_id=10 func=ipsec_common_output4 line=785 msg="No matching IPsec selector, drop"
id=65308 trace_id=11 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=1, 10.80.218.32:1->192.168.50.241:2048) tun_id=0.0.0.0 from WiFi-Office. type=8, code=0, id=1, seq=458."
id=65308 trace_id=11 func=resolve_ip_tuple_fast line=5956 msg="Find an existing session, id-00580112, original direction"
id=65308 trace_id=11 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=11 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface VersoAzureHA, tun_id=0.0.0.0"
id=65308 trace_id=11 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel VersoAzureHA vrf 0"
id=65308 trace_id=11 func=ipsec_common_output4 line=785 msg="No matching IPsec selector, drop"
id=65308 trace_id=12 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=1, 10.80.218.32:1->192.168.50.241:2048) tun_id=0.0.0.0 from WiFi-Office. type=8, code=0, id=1, seq=459."
id=65308 trace_id=12 func=resolve_ip_tuple_fast line=5956 msg="Find an existing session, id-00580112, original direction"
id=65308 trace_id=12 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=12 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface VersoAzureHA, tun_id=0.0.0.0"
id=65308 trace_id=12 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel VersoAzureHA vrf 0"
id=65308 trace_id=12 func=ipsec_common_output4 line=785 msg="No matching IPsec selector, drop"network x to network y.png

knagaraju
Staff
Staff


Error is "No matching IPsec selector, drop" Which means the below IP subnets are not added as local subnets and remote subnets in phase 2 selectors of IPsec tunnel VersoAzureHA

10.80.218.32:1->192.168.50.241 from WiFi-Office. type=8, code=0

Please add the above subnets as local subnets and remote subnets in phase 2 selectors on both ends of the tunnels.

matteocostanzo

thanks a lot it works

knagaraju
Staff
Staff

You are most welcome. Hope the issue got resolved. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors