Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
imnuan
New Contributor

Created on ‎09-13-2015 08:53 AM

Site 2 Site VPN (Fortigate 70D to Netgear FVS318N)

Hi Everyone

Im Stuck with an site to site Configuration. I was able to setup the Tunnel between Fortigate and Netgear. Configured Firewall rules. But i cant ping from either nor other side. Has some one an similar Configuration? What information do i have to provide here?

 

Regards

Christian

Labels:
11883
0 Kudos
10 REPLIES 10
Joshua_MJ
New Contributor

Created on ‎09-13-2015 10:08 AM

Hey Christian have you congfigured static routes on both routers and also don't forget about the two policies to allow traffic back and forth...
4141
0 Kudos
imnuan
New Contributor
In response to Joshua_MJ

Created on ‎09-13-2015 11:58 PM

Good Morning

 

Yes i have. But on all doc's is written that i have select VPN. But i don's see any VPN Options on Routing creation. I Just can select Network.

Bildschirmfoto 201..-14 um 08.41.02.jpg

Here is the Networkview.

wan1               46.xxx.xxx.xxx 255.255.254.0  Physical      AUTO-IPSEC 9 Road_Warroir   0.0.0.0             0.0.0.0            VPN Tunnel                    3 S2S-Flue5        0.0.0.0             0.0.0.0            VPN Tunnel                    4

 

Regards

Christian

Preview file
66 KB
4141
0 Kudos
Joshua_MJ
New Contributor
In response to imnuan

Created on ‎09-14-2015 12:45 AM

Hi, find attached image of fortigate vpn tunnel creation. Also make sure that you configured the local and remote interfaces with correct ip addresses.

4141
0 Kudos
imnuan
New Contributor
In response to Joshua_MJ

Created on ‎09-14-2015 03:56 AM

Hi 

This is my VPN config:

Preview file
83 KB
4141
0 Kudos
Somashekara_Hanumant
Staff
Staff

Created on ‎09-14-2015 12:16 AM

Hi,

 

Kindly collect the packets from the below commands to see where the packet is passing.

 

diag debug reset diag debug enable diagnose debug flow filter addr x.x.x.x diagnose debug flow filter proto 1 diag debug flow show console enable diag debug flow show function-name enable diag debug flow trace start 200

 

Where x.x.x.x is a private IP behind netgear device

 

After initiating the above commands on the SSH session, then try to ping x.x.x.x from your private IP address.

 

Cheers,

Somu

EMEA Technical Support
4141
0 Kudos
imnuan
New Contributor
In response to Somashekara_Hanumant

Created on ‎09-14-2015 03:43 AM

Hi Sumo

Here is the log:

 

id=20085 trace_id=17 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=1, 192.168.222.144:1->192.168.5.1:8) from internal. code=8, type=0, id=1, seq=26."
id=20085 trace_id=17 func=init_ip_session_common line=4569 msg="allocate a new session-0013e41b"
id=20085 trace_id=17 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.5.1 via S2S-Flue5"
id=20085 trace_id=17 func=fw_forward_handler line=671 msg="Allowed by Policy-4:"
id=20085 trace_id=17 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec interface-S2S-Flue5"
id=20085 trace_id=17 func=ipsec_common_output4 line=625 msg="No matching IPsec selector, drop"
id=20085 trace_id=18 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=1, 192.168.222.144:1->192.168.5.1:8) from internal. code=8, type=0, id=1, seq=27."
id=20085 trace_id=18 func=resolve_ip_tuple_fast line=4479 msg="Find an existing session, id-0013e41b, original direction"
id=20085 trace_id=18 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.5.1 via S2S-Flue5"
id=20085 trace_id=18 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec interface-S2S-Flue5"
id=20085 trace_id=18 func=ipsec_common_output4 line=625 msg="No matching IPsec selector, drop"
id=20085 trace_id=19 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=1, 192.168.222.144:1->192.168.5.1:8) from internal. code=8, type=0, id=1, seq=28."
id=20085 trace_id=19 func=resolve_ip_tuple_fast line=4479 msg="Find an existing session, id-0013e41b, original direction"
id=20085 trace_id=19 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec interface-S2S-Flue5"
id=20085 trace_id=19 func=ipsec_common_output4 line=625 msg="No matching IPsec selector, drop"
id=20085 trace_id=20 func=print_pkt_detail line=4420 msg="vd-root received a packet(proto=1, 192.168.222.144:1->192.168.5.1:8) from internal. code=8, type=0, id=1, seq=29."
id=20085 trace_id=20 func=resolve_ip_tuple_fast line=4479 msg="Find an existing session, id-0013e41b, original direction"
id=20085 trace_id=20 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec interface-S2S-Flue5"
id=20085 trace_id=20 func=ipsec_common_output4 line=625 msg="No matching IPsec selector, drop"

 

Regards

Christian

4141
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎09-14-2015 04:47 AM

Your problem should be obvious;

 

No matching IPsec selector, drop"


 

Unless my  eyes are bad you defined a 255.255.255.255 ( host mask to your proxyids) Change that to a /24 or whatever subnet mask and you should have access

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Preview file
27 KB
4141
0 Kudos
imnuan
New Contributor
In response to emnoc

Created on ‎09-14-2015 11:30 PM

Good Morning

Problem Solved . There where 2 Issues. First one was Wrong Subnetmasking. Second was a wrong routing entry on the Netgear.

 

Thx for all the Helps.

 

Regards

Christian

4141
0 Kudos
Joshua_MJ
New Contributor
In response to imnuan

Created on ‎09-15-2015 02:33 AM

Thanks Bra

4141
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.