Hi everyone,
I'am tired, i don't know what else to do...[&o]
i have a ipsec vpn SITE A TO SITE B and SITE B TO SITE A But, only SITE B reach SITE A : *SITE B
FGT30E_ITAOBI # execute ping 192.168.0.8
PING 192.168.0.8 (192.168.0.8): 56 data bytes
64 bytes from 192.168.0.8: icmp_seq=0 ttl=255 time=34.0 ms
64 bytes from 192.168.0.8: icmp_seq=1 ttl=255 time=33.6 ms
64 bytes from 192.168.0.8: icmp_seq=2 ttl=255 time=33.4 ms
64 bytes from 192.168.0.8: icmp_seq=3 ttl=255 time=33.5 ms
64 bytes from 192.168.0.8: icmp_seq=4 ttl=255 time=33.6 ms
--- 192.168.0.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 33.4/33.6/34.0 ms
FGT30E_ITAOBI # execute traceroute 192.168.0.8
traceroute to 192.168.0.8 (192.168.0.8), 32 hops max, 3 probe packets per hop, 72 byte packets
1 192.168.0.8 33.841 ms 33.718 ms 33.571 ms
SITE A:
FGTCPS60D # execute traceroute 192.168.40.5
traceroute to 192.168.40.5 (192.168.40.5), 32 hops max, 3 probe packets per hop, 72 byte packets
1 * * *
2 * * *
3 * * *
......
32 ***
I delete and create again, checked proporsal, key , everything, and site A not even ping site B.
some urls i used for instructions (https://kb.fortinet.com/kb/documentLink.do?externalID=FD34846,http://docshare02.docshare.tips/files/25630/256303685.pdf,https://kb.fortinet.com/kb/documentLink.do?externalID=FD40546,https://www.absoluteuc.org/troubleshooting-fortigate,http://soclevelone.com/index.php/2018/05/20/setting-vpn-ipsec-tunnel-with-fortigate/) Someone take some like this?
Any help to point me in the right direction would be appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The first link is for a KB describing site-to-site VPN but between FGT and Cisco router, and running OSPF over it. But yours seem to be FG30E-FG60D. Are you using OSPF? There should be some cookbooks for FGT-FGT with OSPF. If those subnets are directly connected to either side of FGT, you don't need OSFP.
When you troubleshoot, use below options to set a proper source IP to ping/traceroute through the tunnel. Otherwise they pickup the tunnel interface IP, which might not be included in phase2 selectors.
Make sue the tunnel is up, then if policies for both directions are right without NAT, you need to check routing-table on FG60D if the routes for the other end are there pointing into the tunnel.
I deleted route, but continue the same issue...
If you do a ping from cli, with older version you must do
exec ping-options source x.x.x.x where x.x.x.x is the ip of the local lan interface,
before you start ping.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1632 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.