Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shane95129
New Contributor

Site 2 Site Connects but can't connect to anything

Hi Everyone,

 

I currently have Site2Site IPSec setup between two devices:

FortiWifi30D 5.4.4

FortiGate60E 5.4.5

 

I followed the tutorial both here https://www.youtube.com/watch?v=vD_SA58FC60 and here http://cookbook.fortinet.com/site-to-site-ipsec-vpn-with-two-fortigates-5-4/

 

I am able to establish connection between the two, meaning in Monitor and VPN, the connection shows UP. Hoever I am unable to access any machines/fortigates on either side. Can't ping either.

 

Any help is appreciated.

 

Thanks!

 

 

1 REPLY 1
Toshi_Esumi
SuperUser
SuperUser

Although you can configure a site-to-site VPN via GUI/Wizard, which takes care of all aspects of IPSec VPN (1. IPsec config, 2. routes, 3. policies), if it doesn't work almost all debugging needs to be done through CLI. The first part of debug process/steps would like below:

1. verify if end-to-end (host-to-host) packets like pining you did is reaching to the other side by sniffing packets on the other side of FG w/ like "diag sniffer packet any 'host x.x.x.x' 4", which would show interface names the packet hits.

2. if it's getting to the other end and going out to the LAN interface but no returning packets, likely the default gateway on the host is not pointing to back to the local FG or Windows FW or something is blocking.

3. if it's not getting to the other end, you need to sniff the same on the source side of FG, if it's going into the tunnel. On 60E side you might need to disable npu-offload on the tunnel config or the policy to see all packets. Just google how to do it in CLI. It can't be done via GUI.

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors