Site to Site VPN from Forigate to sonicwall

prince · ‎02-26-2024

Hi Team.

I have configured site to site vpn with fortigate firewall and sonicwall firewall.

with this help of this link https://www.gns3network.com/how-to-configure-ipsec-tunnel-between-fortigate-and-sonicwall-firewall/ i configure site to site vpn .

after configuring vpn. both the phase1 and phase 2 tunnel are up in forigate and sonicwall.

but i cant able to access the sonicwall network lan or even i cant able to ping sonicwall lan network. from sonicwall lan i can able to access the fortigate lan interface.but from fortigate i cant not access sonicwall lan. can anyone guide me to solve this.

prince · ‎02-28-2024

Hi Hbac,

Thanks for all your support, i made mistake while create lan to vpn and vpn to lan policy. i have enabled nat in the policy, after disabling NAT, i can able to access sonicwall lan network, thanks for your support.

View solution in original post

AEK · ‎02-26-2024

Hi Prince

- Check phase 2 selector from both sides contains the right source and destination.

Or try first rebuild the tunnel with 0.0.0.0/0 as source and destination to make sur it is not the root cause.

- Also check routing from FG side, sometimes you may have existing routes or connected interface or VIP or IP pool that are on the same range as Sonicwall subnets, so you need to check and fix this.

- Check your firewall policies on both sides are allowing the related traffic.

- Use diag sniffer and diag debug flow to see if your traffic is going through the tunnel and if it is allowed and denied.

AEK

prince · ‎02-27-2024

Hi Aek,

i checked the phase two tunnel but its now working . please find the image for the reference

AnthonyH · ‎02-26-2024

Hello Prince,

Could you run the following commands in the FortiGate CLI and initiate a ping to the sonic wall lan? This will tell us if the FortiGate is sending out traffic or if it is being dropped.

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr <sonicwall_lan_ip>
dia debug flow filter proto 1
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-IPsec-Site-to-Site-T...

Technical Support Engineer,
Anthony.

prince · ‎02-27-2024

Hi Anthony,

i got this out put from the above command

FortiGate-100F # 2024-02-27 15:00:58 id=65308 trace_id=9 func=print_pkt_detail line=5832 msg="vd-root:0 received a
packet(proto=1, 192.168.1.40:1->10.1.0.10:2048) tun_id=0.0.0.0 from lan. type=8, code=0, id=1, seq=24719."
2024-02-27 15:00:58 id=65308 trace_id=9 func=resolve_ip_tuple_fast line=5920 msg="Find an existing session, id-08b
9dd31, original direction"
2024-02-27 15:00:58 id=65308 trace_id=9 func=ipv4_fast_cb line=53 msg="enter fast path"
2024-02-27 15:00:58 id=65308 trace_id=9 func=ip_session_run_all_tuple line=7150 msg="SNAT 192.168.1.40->10.10.10.1
:60418"
2024-02-27 15:00:58 id=65308 trace_id=9 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Fg-sw, t
un_id=0.0.0.0"
2024-02-27 15:00:58 id=65308 trace_id=9 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Fg-
sw, tun_id=Sonicwall IP, vrf 0"
2024-02-27 15:00:58 id=65308 trace_id=9 func=ipsec_common_output4 line=785 msg="No matching IPsec selector, drop"

AEK · ‎02-27-2024

See the message "No matching IPsec selector, drop".

Check phase 2 selector from both sides contains the right source and destination.

Or try first rebuild the tunnel with 0.0.0.0/0 as source and destination to make sure it is not the root cause.

AEK

hbac · ‎02-27-2024

Hi @prince,

Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPN-tunnel-errors-due-to-traff...

Regards,

prince · ‎02-28-2024

Hi Hbac,

Thanks for all your support, i made mistake while create lan to vpn and vpn to lan policy. i have enabled nat in the policy, after disabling NAT, i can able to access sonicwall lan network, thanks for your support.