Setting source-IP on IPSEC VPN interface

ast1300n · ‎10-31-2017

Several cookbooks and VPN manuals reference the following in their troubleshooting sections:

"On some FortiGate units, such as the FortiGate 94D, you cannot ping over the IPsec tunnel without first setting a source-IP. In this scenario, you must assign an IP address to the virtual IPSEC VPN interface. Anything sourced from the FortiGate going over the VPN will use this IP address."

How do I set the source-IP of my IPSEC VPN interface? I'd like to be able to ping from our firewalls to each other after creating the tunnel.

Toshi_Esumi · ‎10-31-2017

Go to either GUI "Network->Interface" and select your tunnel interface name then "Edit".

There should be "Address" section includes "IP" and "Remote IP". You can use any IPs but both go into the routing table as connected /32 routes. Then make sure you allow "PING" in "Restrict Access" section.

tanr · ‎10-31-2017

I don't think the GUI exposes the source IP for IPsec interface vpns in 5.4.x. It only allows you to set the remote IP. I have set my local ip through the CLI as follows:

conf vpn ipsec phase1-interface

edit <ipsec-name>

set local-gw IP.IP.IP.IP

end

Toshi_Esumi · ‎10-31-2017

It should let you. The attachment is from my home FG50E w/ 5.4.6.

tanr · ‎10-31-2017

Ah, interface ip vs ipsec gateway ip. Thanks for the info Toshi.

LuisMLG · ‎04-10-2018

Toshi I did what you said.

IP: 10.255.255.17

remote IP: 10.255.255.18/30

In the other device, I did the same para changing the IPs. I checked the PING access on both interfaces.

But it doesn't work.

What I missed?

Toshi_Esumi · ‎04-10-2018

Are you running 5.6.3? otherwise you shouldn't be able to set the prefix length /30 on remote-ip as I showed in GUI. My 50E is 5.4.8.

And is the other end supposed to be pingable? Another FG or something else? If it's supposed to be but still not pingable the tunnel is not up. Is the tunnel actually up?

LuisMLG · ‎04-11-2018

Hi Toshi,

Yes, both fortigate devices are in 5.6.3

Both are pingable.

The tunnel is up and running.

I was thinking that maybe the IPs which I set in the VPN interfaces should belong to the networks which are configured to pass through the tunnel? I didn't test yet.

Toshi_Esumi · ‎04-11-2018

Check the routing table (get router info routing-t all, or database). Even if there are some super subnets you wouldn't have the same /30 or /32 subnet in it. Both sides should show up in the table with 'C' - connected, and with the vpn interface name.

Also check trusthost too.

LuisMLG · ‎04-12-2018

Everything that you say was fine. But finally, I found the issue. The addressing that you use in the ends of the tunnel has to belong to the addressing which is configured to pass through the tunnel (phase 2).

Now all is working, thanks for the help!!!

Setting source-IP on IPSEC VPN interface

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website