With Fortinet is it possible to see a network of an ipsec VPN configured on another fortinet??
obviously between the two fortnets I have an ipsec VPN available.
I would like from network x to see network y which is in VPN on the fortinet which is not my gateway but another fortinet.
is it possible??
Solved! Go to Solution.
Error is "No matching IPsec selector, drop" Which means the below IP subnets are not added as local subnets and remote subnets in phase 2 selectors of IPsec tunnel VersoAzureHA
10.80.218.32:1->192.168.50.241 from WiFi-Office. type=8, code=0
Please add the above subnets as local subnets and remote subnets in phase 2 selectors on both ends of the tunnels.
Add firewall rull:
- source: ssl-vpn
- destination: ipsec / network y
Configure your ssl-vpn setting to push to your vpn clients an additional route to network Y.
I am not using vpn ssl client but all ipsec tunnel. Is it possible to route the thing with this setup? the first firewall routes traffic to the second but the second doesn't seem to get anything to route back. Even if the vpn is active.
Hello Matteocostanzo,
On FGT2 may I know if you have the routes and policies in place?
Also please make sure NAT is disabled in the firewall policies.
Since the tunnel is up. There are only two possible things that you need to look into
1. Firewall policy.
2. Route.
Please take debug on FGT2 to see what is happening.
Unfortunately I'm new to the Fortinet world.
I've come from years and years of watchguarding.
but now i have to use fortinet.
I'm sure in the policies I have disabled NAT.
I also wrote the static routes.
but i don't understand how to see the log.
can you help me. in watchguard there is a screen where I see all the traffic passing through the device there is something similar in fortinet. ??
Below are the debug commands which are to be executed in fortigate cli.
# diagnose debug reset
# diagnose debug flow filter saddr x.x.x.x
# diagnose debug flow filter daddr y.y.y.y
# diagnose debug flow show function-name enable
# diagnose debug flow trace start 100
#diagnose debug enable
NOTE: x.x.x.x is the source ip address and y.y.y.y is the destination ip address
Please disable the debugs with the below commands
diagnose debug disable
diagnose debug reset
very nice.
exactly that.
if from PC X I ping PC Y
I found that I stop at the first firewall (FW A).
this is the log. what am I doing wrong ??
id=65308 trace_id=10 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=1, 10.80.218.32:1->192.168.50.241:2048) tun_id=0.0.0.0 from WiFi-Office. type=8, code=0, id=1, seq=457."
id=65308 trace_id=10 func=resolve_ip_tuple_fast line=5956 msg="Find an existing session, id-00580112, original direction"
id=65308 trace_id=10 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=10 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface VersoAzureHA, tun_id=0.0.0.0"
id=65308 trace_id=10 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel VersoAzureHA vrf 0"
id=65308 trace_id=10 func=ipsec_common_output4 line=785 msg="No matching IPsec selector, drop"
id=65308 trace_id=11 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=1, 10.80.218.32:1->192.168.50.241:2048) tun_id=0.0.0.0 from WiFi-Office. type=8, code=0, id=1, seq=458."
id=65308 trace_id=11 func=resolve_ip_tuple_fast line=5956 msg="Find an existing session, id-00580112, original direction"
id=65308 trace_id=11 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=11 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface VersoAzureHA, tun_id=0.0.0.0"
id=65308 trace_id=11 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel VersoAzureHA vrf 0"
id=65308 trace_id=11 func=ipsec_common_output4 line=785 msg="No matching IPsec selector, drop"
id=65308 trace_id=12 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=1, 10.80.218.32:1->192.168.50.241:2048) tun_id=0.0.0.0 from WiFi-Office. type=8, code=0, id=1, seq=459."
id=65308 trace_id=12 func=resolve_ip_tuple_fast line=5956 msg="Find an existing session, id-00580112, original direction"
id=65308 trace_id=12 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=12 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface VersoAzureHA, tun_id=0.0.0.0"
id=65308 trace_id=12 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel VersoAzureHA vrf 0"
id=65308 trace_id=12 func=ipsec_common_output4 line=785 msg="No matching IPsec selector, drop"
Error is "No matching IPsec selector, drop" Which means the below IP subnets are not added as local subnets and remote subnets in phase 2 selectors of IPsec tunnel VersoAzureHA
10.80.218.32:1->192.168.50.241 from WiFi-Office. type=8, code=0
Please add the above subnets as local subnets and remote subnets in phase 2 selectors on both ends of the tunnels.
thanks a lot it works
You are most welcome. Hope the issue got resolved.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.