Dear All Guru,
i need urgent help. i have a 100D (V6.2.10) in HQ office. i was able to create Site to site VPN to two other site office which is using 100D as well.
Recently we have added a site office ( we called it C) which is using 80E ( v7.0.5). i manage to create and bring up IPSEC tunnel between HQ and C.
from C
- C fortigate 80E able to ping HQ fortigate 100D
- C server able to ping HQ server IP
from HQ
- HQ Fortigate 100D able to ping C fortigate 80E
- HQ Server not able to ping C Server IP.
The IPSEC tunnel already up between the 2 fortigate device, both device can ping to each other. but the server from the HQ cannot access to the C network. i have tried open entire subnet for both side access but it is still not working. any idea if i miss out any setting? Please help!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Dave,
Good day to you. If the respective traffic is meant to go out via IPSec tunnel CCECC-M1 IPSec tunnel, then your direction of the same subnet being used in both tunnels is correct. The traffic from 10.0.100.60 has been forwarded to Ent-M1 IPSec tunnel due to the conflict:
id=20085 trace_id=1 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.1.251 via Ent-M1"
You may want to consider changing the IP address scheme on CCECC site, or configure NAT between the tunnel to isolate CCECC-M1 and Ent-M1 IP addresses. Please refer to the following document for the idea of NATting the remote IP:
Cookbook | FortiGate / FortiOS 6.0.0 | Fortinet Documentation Library
Hi Dave,
Good day to you. If the respective traffic is meant to go out via IPSec tunnel CCECC-M1 IPSec tunnel, then your direction of the same subnet being used in both tunnels is correct. The traffic from 10.0.100.60 has been forwarded to Ent-M1 IPSec tunnel due to the conflict:
id=20085 trace_id=1 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.1.251 via Ent-M1"
You may want to consider changing the IP address scheme on CCECC site, or configure NAT between the tunnel to isolate CCECC-M1 and Ent-M1 IP addresses. Please refer to the following document for the idea of NATting the remote IP:
Cookbook | FortiGate / FortiOS 6.0.0 | Fortinet Documentation Library
Hi Team,
If destination network of two tunnels is same, traffic may go through any tunnel based on your routing decisions.
May be you need to static NAT on the other end of the firewall, so that you can use different subnet in the local firewall to differentiate the traffic.
Please check and keep us posted
Thanks Seshuganesh,
i resolve this connection issues by changing one of the destination subnet. thanks and appreciate your help!!!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.