Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rharms_tarc
New Contributor

Created on ‎02-20-2025 08:10 AM Edited on ‎02-20-2025 08:35 AM

VPN Traffic Not Leaving FortiGate

I'm working on setting up an IPSEC VPN tunnel between a remote cellular router (Digi TX64) and the FortiGate 300E at our headquarters. 

 

I've got the tunnel up and stable, but can't seem to get traffic to flow properly.  If I run a ping from a device behind the Digi to a device behind the FortiGate, I can run packet sniffer on the FortiGate and see the ping packets coming into the FortiGate from the VPN interface, but I never see them leave the FortiGate to go on to the actual host. 

 

Once I get the formula for this sorted out, I get to duplicate it about 180 times for routers across our bus fleet.  All of the bus routers use the same 192.168.x.0/24 internal subnet, so I need to NAT the traffic as it is passing through the FortiGate into our main network, and then reverse that as it passes back through the FortiGate to return to the bus.  I also need to ensure that NAT is always one-to-one such that traffic from a specific 192.168.x.0 address will always translate to the same address and vice versa.

 

I've pasted the relevant config snippets below.  Guessing it's something simple that I'm not seeing, so would appreciate some fresh eyes.

 

 

config firewall policy
  edit 141
    set name "From-Coach-2xxx"
    set uuid 53513b9a-eb35-51ef-7e8b-5acxxxxxxxx
    set srcintf "Coach-2xxx-VPN"
    set dstintf "LAN-ZONE"
    set action accept
    set srcaddr "all"
    set dstaddr "all"
    set schedule "always"
    set service "ALL"
    set utm-status enable
    set ssl-ssh-profile "SSL-INSPECTION"
    set av-profile "default"
    set dnsfilter-profile "default"
    set application-list "Monitor-and-Block-Botnets"
    set nat enable
    set fixedport enable
    set ippool enable
    set poolname "Coach-2xxx-Inbound"
  next
end

 

config firewall policy
  edit 142
    set name "To-Coach-2xxx"
    set uuid b642e94c-eb35-51ef-d7ab-f545xxxxxxxx
    set srcintf "LAN-ZONE"
    set dstintf "Coach-2xxx-VPN"
    set action accept
    set srcaddr "all"
    set dstaddr "Coach-2xxx-Outbound"
    set schedule "always"
    set service "ALL"
    set utm-status enable
    set ssl-ssh-profile "INSPECTION"
    set av-profile "default"
    set dnsfilter-profile "default"
    set application-list "Monitor-and-Block-Botnets"
  next
end

 

config firewall vip
  edit "Coach-2xxx-Outbound"
    set uuid 0bb2482e-eb35-51ef-f975-c48axxxxxxxx
    set extip 10.2x.5x.0-10.2x.5x.255
    set mappedip "192.168.x.0-192.168.x.255"
    set extintf "any"
    set nat-source-vip enable
    set color 19
  next
end

 

config firewall ippool
  edit "Coach-2xxx-Inbound"
    set type one-to-one
    set startip 10.2x.5x.0
    set endip 10.2x.5x.255
  next
end

 

config router static
  edit 18
    set dst 10.2x.5x.0 255.255.255.0
    set distance 1
    set device "Coach-2xxx-VPN"
  next
end

 

  

339
0 Kudos
4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

Created on ‎02-20-2025 08:44 AM Edited on ‎02-20-2025 08:51 AM

The config is the same I would configure in case SNAT on the VPN at TX64 is absolutely not an option. And, based on your description, the inbound SNAT policy is not working as you intended.

In that case, you need to run flow debugging to see how the FGT is treating the inbound packets with the policy.
I would run like.
   diag debug reset
   diag debug flow filter addr 192.168.x.x(source IP)
   diag debug flow trace start 10 (or how many more flows you want to capture)
   diag debug enable


You need to run the debug first, then start pinging from the client side. Otherwise, it would be sent to NPU and show like "found an existing session" only for every incoming packet.

Toshi

322
rharms_tarc
New Contributor

Created on ‎02-20-2025 09:59 AM

Here is an excerpt from the debug:

 

id=20085 trace_id=33 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.x.100:1->10.xxx.100.86:2048) tun_id=10.0.0.7 from Coach-2xxx-VPN. type=8, code=0, id=1, seq=18870."
id=20085 trace_id=33 func=init_ip_session_common line=6046 msg="allocate a new session-70992410, tun_id=10.0.0.7"
id=20085 trace_id=33 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
id=20085 trace_id=33 func=ip_session_handle_no_dst line=6132 msg="trace"
id=20085 trace_id=36 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.x.100:1->10.xxx.100.86:2048) tun_id=10.0.0.7 from Coach-2xxx-VPN. type=8, code=0, id=1, seq=18871."
id=20085 trace_id=36 func=init_ip_session_common line=6046 msg="allocate a new session-70992600, tun_id=10.0.0.7"
id=20085 trace_id=36 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
id=20085 trace_id=36 func=ip_session_handle_no_dst line=6132 msg="trace"
id=20085 trace_id=38 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 192.168.x.100:1->10.xxx.100.86:2048) tun_id=10.0.0.7 from Coach-2xxx-VPN. type=8, code=0, id=1, seq=18872."
id=20085 trace_id=38 func=init_ip_session_common line=6046 msg="allocate a new session-70992786, tun_id=10.0.0.7"
id=20085 trace_id=38 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
id=20085 trace_id=38 func=ip_session_handle_no_dst line=6132 msg="trace"

 

So it looks like the problem is failing the reverse path check.  From reading, it seems like I need to give it a route for those 192.168.x.0/24 addresses.  But not sure how to set that up being that I'm going to have traffic for that same subnet coming in from 180 different VPN tunnels.

301
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to rharms_tarc

Created on ‎02-20-2025 10:24 AM Edited on ‎02-20-2025 10:36 AM

so, this means the FGT receives the packet from 192.168.x.100, and it drops the packet because there is no route to go back to the tunnel for 192.168.x.100.
I'm not sure how to avoid that in case all VPNs have the same destination subnet.
First, try setting a static route into the tunnel for 192.168.x.0/24 to make sure it works with the route.

Then, if it works as you intended, you need to set up a second tunnel to the second TX64 and put in the EXACT same static route to the second tunnel as well. It would show up as a parallel route with the first one. I'm hoping the FGT takes it as is not to drop the second tunnel traffic.


Toshi

294
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎02-20-2025 11:20 PM

you could use dial up ipsec instead of s2s here. Then you won't need to deduplicate the vpn at all.

You would only need to route 192.168.0.0/16 via the vpn and maybe set proper quickselectors in phase2.

Then you must only make sure your policies (and vips) match all the coaches subnets.

A dialup supports up to 500 concurrent connections. In interface mode those will be enumerated.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
219
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.