Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nickpapicc
New Contributor

Created on ‎04-14-2025 08:48 AM

Site to site vpn with branch behind a firewall

Hello,

I'm trying to create a new site to site vpn for a customer.

Headquarter device is fortigate 80E, branch is fortigate 60F. There is already a site to site ipsec vpn between Head and Branch that is working internet provider's router at both site are not natted so fortigates route using public IP addresses.

Now the customer has a new FWA faster connection at the branch and want to use this new for vpn to the HQ, but this connection has a router with firewall that we cannot disable and we cannot use a public IP address for WAN port of the branch fortigate.

What are seeing connection from the HQ arriving at the branch on port 500, but when the branch sends out ike packet to HQ the branch fortigate shows error "network unreachble" Following an exaple of packet capture session

 

2025-04-11 16:40:01.021309 ike 0: comes 2.40.80.242:500->192.168.1.2:500,ifindex=6,vrf=0....
2025-04-11 16:40:01.021384 ike 0: IKEv2 exchange=SA_INIT id=cdb44172569bf4cb/0000000000000000 len=500
2025-04-11 16:40:01.021415 ike 0: in CDB44172569BF4CB00000000000000002120220800000000000001F42200006C02000034010100050300000C0100000C800E008003000008020000050300000803
00000C0300000804000005000000080400000E00000034020100050300000C0100000C800E01000300000802000005030000080300000C0300000804000005000000080400000E28000108000E0000ECE832700
FF7B825741E625E50573775B80F0CEE08960CFFACD8F8E380950E77BD1D59D18F838CACDCE55ED75860AED7E672AD1432E0C03468C6796AC0B8748044306DB3367E4C238F7C634D18CFBA0B13D25A131968C73C
4EFD99D7E43338DECF542B41F126FBEEE1A008A4E6B2475440F6A0C4DAD2B84575F6A3186DD2E6398BFFAADC6A27640E453E3BBD0CB73418DF3DD0C497692183C2E21BD7DC350AD0D4C799ED1B311ADC9378A5A
BD2A64F8A7402A01BF1BCBA3ADA10673B648AE247F71ECDA3FA47CA6FB9EC49EA48183FE720DED76AF3166B69C30F43F10233877A6F02895C431DD221486D3DFF714DDAD50B78D4AF0FE07EFA1176C8CD3EF7F1
2F290000248D4CFFA3D988617AE6A92FFCCA51091EE3CFF1BD33EDCE8A54CC026E40DF60542900001C00004004F56C77138F73AD36DD76F7CADD5C12734F2BDF562900001C00004005E07BBCED73A8F0426D7AE
5B02AB3A19C44C30846000000080000402E
2025-04-11 16:40:01.021480 ike 0:VPN-BARI-FWA:9567: detected retransmit, resend last message
2025-04-11 16:40:01.021509 ike 0:VPN-BARI-FWA:9567: out CDB44172569BF4CB3CC683D1A20008FB2120222000000000000001A8220000300000002C010100040300000C0100000C800E00800300000
802000005030000080300000C000000080400000E28000108000E0000BE0B06B733FF4DE7BC1CA4209A3D3F63CA207F0C84A2973A525EDCF618235696AA3C6E334B234745595310072C0B3635C02114418B3E7B
D18E1B825AF3533AB6C3541B816301160F33C944D79BDED9DC922596B042F7D8D7D6A8E56636E20E3CA641C6BCBDC180F56E158C64DE8DEE8BC4667A601D35ECD2336AB60749C7386AE9F725CC2013001FF1621
AEFB68822B4E0C67F08FDDC3EEC6E8FF1EBB3BCC5BE4165C7EBC9CB4D8389057F1A0F75DD6EAF4B4860FDD2DC1D3C1C4027BC8E1A72C365A15AB4C31713A87A0B09829E1B3AACA057229FE259A6BB8EB2EDB956
9F426FD2E92D78BED53B64E0647D87F7E6EA7589D17A245F624741ED14988A9259B129000014FC9AB28A2197A3C10DEA4D8D8C6D917D2900001C0000400486929583EC2CC90321D6EAE0739D21AA66135D3A290
0001C00004005C924FF74FA1220CA67954D10C6512C29CD24064F000000080000402E
2025-04-11 16:40:01.021585 ike 0:VPN-BARI-FWA:9567: could not send IKE Packet(retransmit):192.168.1.2:500->2.40.80.242:500, len=0, vrf=424: error 101:Network is unreac
hable

 

It seems like the router of internet provider at the branch is not routing packet using UDP 500 towards the HQ.

Indeed at the HQ we don't see any packet arriving from the branch to negotiate. This event is logged in the branch fortigate ever and ever

 

Immagine 2025-04-14 174337.png

May be I'm missing something in the configuration?

Any advice?

 

Thanks nick

 

Labels:
475
0 Kudos
1 Solution
sjoshi
Staff
Staff
In response to nickpapicc

Created on ‎04-15-2025 12:34 PM

Hi,

 

Ok I'm able to identify the issue.

The issue over here is for the VPN TNL VPN-BARI-FWA which is for wan2
Now in the active routing table wan2 default route is not present due to higher AD value
LEFWLAUTOT01 # get router info routing-table details 2.40.80.242

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 20, metric 0
vrf 0 192.168.1.1, via wan2

Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* vrf 0 88.33.223.161, via wan1 >> the star sign means the active route

I guess there is no issue for the TNL IPSEC-BARI-1
Since there is no default route active in the routing table from wan2 that is why the TNL from wan2 shows down
You need to setup the same AD value for both wan1 and wan2 and increase the priority of wan2 if you want to make it as sec

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi

View solution in original post

412
0 Kudos
3 REPLIES 3
sjoshi
Staff
Staff

Created on ‎04-14-2025 01:04 PM

Hi,

 

Can you please share me below output:-

get router info routing-table details 2.40.80.242

show vpn ipsec phase1-interface

 

This output should be attached from the FGT where this debug has been taken

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi
453
nickpapicc
New Contributor
In response to sjoshi

Created on ‎04-15-2025 02:51 AM

Hi,

here is the requested output from the FGT at branch

 

LEFWLAUTOT01 # get router info routing-table details 2.40.80.242

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 20, metric 0
vrf 0 192.168.1.1, via wan2

Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* vrf 0 88.33.223.161, via wan1

 

LEFWLAUTOT01 # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "IPSEC-BARI-1"
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256
set dpd disable
set remote-gw 2.40.80.242
set psksecret ENC vlTWHWMTt43tOqB7DDRB0fzBjWu1VE5ThCkac2JAJK79ZWSFkYwz3qUz+AlsQKUjY+Vr8wtXCpFsO9VWnf/bVOpYy7jUSRIcrkxpDWNVZoix5Vktks43sOOGimrk16pW44nOh25QLoztuDIed2xmM8yVihusnM6syxxqfCAq8yX6s9dHEyPR3cOqwNc20akJhd+UWw==
next
edit "VPN-BARI-FWA"
set interface "wan2"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256
set localid "2.196.197.181"
set comments "VPN: VPN-BARI-FWA"
set remote-gw 2.40.80.242
set psksecret ENC t8kRCdbgZFiUizXBcR0pRrkVvXaZk107rZxIlcHIn4HjtI5q/zcywWM3qc7kxyy668ueQFHnLWNeHsY4d1BqWfJhVS7a8sQQxm4lmJ5oTUz3iPp06jRIWguGLFYrNDATVyNXdpN3rxFzbMgrtI4ikS5XI31osn1WpNsUQ+2ueZ8CUzNXG7xiIhiXR0BxMSNfPxZ+gQ==
next
end

 

Thanks

Nick

 

431
0 Kudos
sjoshi
Staff
Staff
In response to nickpapicc

Created on ‎04-15-2025 12:34 PM

Hi,

 

Ok I'm able to identify the issue.

The issue over here is for the VPN TNL VPN-BARI-FWA which is for wan2
Now in the active routing table wan2 default route is not present due to higher AD value
LEFWLAUTOT01 # get router info routing-table details 2.40.80.242

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 20, metric 0
vrf 0 192.168.1.1, via wan2

Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* vrf 0 88.33.223.161, via wan1 >> the star sign means the active route

I guess there is no issue for the TNL IPSEC-BARI-1
Since there is no default route active in the routing table from wan2 that is why the TNL from wan2 shows down
You need to setup the same AD value for both wan1 and wan2 and increase the priority of wan2 if you want to make it as sec

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi
413
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.