Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JakubP
New Contributor

Site to Site VPN FG60D and Mikrotik

I am in this situation. I created IPsec SiteToSite  VPN  with FG60D v.5.2.9  and MikroTik Router. Tunnel is UP and hosts in routed subnet(FG 192.168.1.0/24 MikroTik 192.168.2.0/24) are reachable. Traffic is on. There is only one trouble. From FG60D (192.168.1.1) I am not able ping anything in MikroTik subnet. But from PC (192.168.1.2) in FG's lan ping works. From MikroTik Site all works perfectly. Only from Fortigate ping not response. What is default IP for traffic generated from fortigate(source IP) ?
2 Solutions
Somashekara_Hanumant

Hi,

 

When you try to generate the traffic from 192.168.1.1 IP address, collect the packets from the below commands

Session1:

diag debug reset diag debug enable diagnose debug flow filter saddr 192.168.1.1 diagnose debug flow filter daddr x.x.x.x diag debug flow show console enable diag debug flow show function-name enable diag debug flow trace start 200

 

Session2:

diag sniff packet any 'host 192.168.1.1 and host x.x.x.x' 4 0 a

Where x.x.x.x is a destination IP address on Mikrotik side.

 

After initiating the above commands on the ssh session then try to generate the traffic from 192.168.1.1

 

Cheers

Somu

EMEA Technical Support

View solution in original post

Toshi_Esumi
SuperUser
SuperUser

try "execute ping-option source 192.168.1.1".

View solution in original post

3 REPLIES 3
Somashekara_Hanumant

Hi,

 

When you try to generate the traffic from 192.168.1.1 IP address, collect the packets from the below commands

Session1:

diag debug reset diag debug enable diagnose debug flow filter saddr 192.168.1.1 diagnose debug flow filter daddr x.x.x.x diag debug flow show console enable diag debug flow show function-name enable diag debug flow trace start 200

 

Session2:

diag sniff packet any 'host 192.168.1.1 and host x.x.x.x' 4 0 a

Where x.x.x.x is a destination IP address on Mikrotik side.

 

After initiating the above commands on the ssh session then try to generate the traffic from 192.168.1.1

 

Cheers

Somu

EMEA Technical Support
Toshi_Esumi
SuperUser
SuperUser

try "execute ping-option source 192.168.1.1".

JakubP

Thank's to both of you,

Toshi 100% right answer.

 

Fortigate unit use IP address of IPsec VPN interface for ping and MikroTik drop it.

By debugging thanks to Somashekara  I found it

 

Thanx to both

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors