Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FeM_User
New Contributor

Strange behavior for a dialup VPN unable to ping from one side but other OK (in part)..

Hi forum.

I have not too much experience with Fortigate VPN but I have searched the forum and did not found the answer to my question since my setup is very unlikely.

I needed to connect two offices via two identical Fortigate 30E and due to internal policies of the company, while HQ_1 uses the Fortigate as Router and firewall and has its WAN directly connected to the Public IP address,  the HQ_2 uses a proprietary router and their Fortigate 30E WAN is connected to one LAN port of the router in the internal subnet.

Have forwarded inside the proprietary router 4500 and 500 pointed. 

I have drawn the configuration in order to explain better my case.

In order to instantiate a VPN between the two offices, I have followed the good guide and different thread I have found in this forum. And the VPN is up.

However following problems occur:

 

inside the CLI of Fortigate HQ_2 (the one behind the NAT) I can ping and see:

Fortigate of HQ_1

all devices in subnet of Office 1.

inside the CMD line of  any device inside subnet of HQ_2 (the one behind the NAT) I cannot ping nor see devices in subnet of Office 1.

And

inside the CLI of Fortigate HQ_1 I cannot ping FortigateRouter2, the local IP address of proprietary router nor any devices in subnet of Office 2.

    but:

inside the CMD of any device inside subnet of HQ_1 (the one behind the NAT) I ping successfully FortigateRouter2, but cannot all devices in subnet of Office 2.

 

 

So the question is:

 

Does such a configuration present some major error?

Can anone help to explain this?

 

Best regards and thank You all

 

Steve

3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

It's about the 3rd party router, more than about FG30E, at HQ.2. Your set-up is "VPN FW on a stick". If the LAN1 and LAN2 on the router are just switch port with 1 interface IP like .254 it would probably work with the default GW pointing  to.253 at all devices including the PC1 in the diagram. Otherwise, the router needs to have a static route for 192.168.3.0/24 toward .253.

 

But what I really recommend it put the 30E at HQ.2 in-line between the router and all devices by assigning a /30 subnet between the router and the 30E. It would make all troubleshoot much easier.

FeM_User

Thank You really, Toshi Esumi, for your quick reply.

When you say: "Otherwise, the router needs to have a static route for 192.168.3.0/24 toward .253" you mean obviously the 3rd part router right?  I think yes but need confirmation.

So all the local subnet traffic (also non VPN) should first pass via Fortigate, right?

 

Sadly putting it in-line is not permitted by IT manager of the company.

Thank You again.

Regards

 

Toshi_Esumi
SuperUser
SuperUser

Yes. The bottom line is the packets destined to 192.168.3.0/24 at HQ.2 need to hit the 30E to get into the tunnel. So either by default gateway at each device or static route at the router if that's the default GW.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors