Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
luca1994
New Contributor III

Created on ‎07-01-2024 07:57 AM

VPN IPSec between private peers ip

Hello team,

 

I successfully configured phase 1 and phase 2 ipsec vpn having private ip's as peers (WAN).
On one side I have fortigate, on the other side Palo Alto.
Both VPN phases go up but when I try to generate traffic I never get the return responses, either way.

Fortegate side I see correctly routed traffic to the ipsec tunnel but I never see the replies. Palo Alto side is the same, I see traffic is routed correctly but I never see the replies.
The strange thing is that seeing traffic routed correctly to the ipsec tunnel I would expect to see traffic on both sides.

 

Following screenshot from either sidesipsec.png

 

Any suggestions for troubleshooting?
It occurred to me to try as a test to modify phase two by specifying 0.0.0.0/0/0 for both remote and local to see if maybe some NAT is present that I am not aware of.

 

Thanks in advance for the support

BR

 

Labels:
130
0 Kudos
1 Solution
Sheikh
Staff
Staff

Created on ‎07-01-2024 08:54 AM

Hello @luca1994 

 

Please check this Article for confoguring IPSec tunnel between FortiGate and Palo Alto

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**

View solution in original post

87
4 REPLIES 4
adambomb1219
SuperUser
SuperUser

Created on ‎07-01-2024 07:59 AM

Does Palo support 0.0.0.0/0 phase 2?

126
0 Kudos
luca1994
New Contributor III
In response to adambomb1219

Created on ‎07-01-2024 08:03 AM

Hi @adambomb1219, yes PA support 0.0.0.0/0 on phase 2

 

BR

124
0 Kudos
jiahoong112
Staff
Staff

Created on ‎07-01-2024 08:14 AM

As you are seeing traffic enter the ipsec tunnel on both sides, do you see packets being received on both sides as well? Besides phase1 and phase2 selectors being up and configured correctly, please check whether the firewall policy, routing are configured correctly. You can also set NAT-T to force in order to force the tunnel to form over port4500 just in case there are potential NAT devices in the ISP side changing and potentially dropping the packet.

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
113
Sheikh
Staff
Staff

Created on ‎07-01-2024 08:54 AM

Hello @luca1994 

 

Please check this Article for confoguring IPSec tunnel between FortiGate and Palo Alto

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
88
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.