hi there,
I have following problem:
scenario: site1 <----IPSEC ----> site2<----router---->different subnets
ipsec vpn is configured with 1 phase1 and multiple phase2 for multiple dialup vpn's.
traffic flows correctly from sote1 to targets behind subnetrouter in site2. so tunneling and routing works correct.
traffic from lan subnet (directly connected to lan interface) in site2 also flows correctly to targest in site1.
only traffic from sources behind subnet router in site2 wont pass the tunnel to site1.
debug flow log shows that traffic arrived fortigate lan interface in site2 as following:
id=20085 trace_id=2223 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=6, 10.100.140.13:58642->10.100.140.38:80) from lan. flag , seq 2709869595, ack 0, win 8192"
id=20085 trace_id=2121 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=6, x.x.x.x:55980->x.x.x.x:9100) from lan. flag , seq 1502283171, ack 0, win 8192"
id=20085 trace_id=2121 func=init_ip_session_common line=4935 msg="allocate a new session-001eb5e4"
id=20085 trace_id=2121 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-x.x.x.x via guestrow_4"
routing to vpn subinterface is correct, but no more happens. no deny, no errors.
to compare, here flow log from lan subnet site2 to site1 subnet:
id=20085 trace_id=2058 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=6, x.x.x.x:58049->x.x.x.x:80) from lan. flag [.], seq 380869527, ack 1164218240, win 64954"
id=20085 trace_id=2223 func=init_ip_session_common line=4935 msg="allocate a new session-001ec775"
id=20085 trace_id=2223 func=vf_ip_route_input_common line=2584 msg="find a route: flag=04000000 gw-x.x.x.x via guestrow_4"
id=20085 trace_id=2058 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=2058 func=ipsecdev_hard_start_xmit line=157 msg="enter IPsec interface-guestrow_4"
id=20085 trace_id=2058 func=esp_output4 line=859 msg="IPsec encrypt/auth"
id=20085 trace_id=2058 func=ipsec_output_finish line=498 msg="send to x.x.x.x via intf-wan1"
id=20085 trace_id=2059 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=6, x.x.x.x->x.x.x.x:58050) from guestrow_4. flag [.], seq 3425957709, ack 1850966348, win 16584"
id=20085 trace_id=2059 func=resolve_ip_tuple_fast line=4848 msg="Find an existing session, id-001eb12c, reply direction"id=20085 trace_id=2068 func=print_pkt_detail line=4784 msg="vd-root received a packet(proto=6, x.x.x.x:80->x.x.x.x:58048) from guestrow_4. flag [.], seq 1736479680, ack 1168096721, win 16584"
id=20085 trace_id=2068 func=resolve_ip_tuple_fast line=4848 msg="Find an existing session, id-001eb12a, reply direction"
id=20085 trace_id=2068 func=ipv4_fast_cb line=53 msg="enter fast path"
only difference, in first log "route: flag=00000000" and in second (this works) "route: flag=04000000"
any suggestions??
thanks for your help.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.