Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Cleyton_Agenil_da_Si
New Contributor

VPN site to site between Fortigate

[style="vertical-align: inherit;"][style="vertical-align: inherit;"]Caro, [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]tenho o seguinte problema. [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]Configure a conexão VPN site a site com dois fortigate HQ FG 80E e Branch 60E. [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]A VPN funciona perfeitamente, as máquinas de ambos os lados se comunicam com sucesso. [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]Porém, as caixas Fortigate não respondem ao ping em si no modo CLI, eu executo o comando em ambas as caixas com "execute ping + ip".[/style][/style]

 

[style="vertical-align: inherit;"][style="vertical-align: inherit;"]Mostra a mensagem[/style][/style]

 

[style="vertical-align: inherit;"][style="vertical-align: inherit;"]FILIAL # executa ping 192.168.254.99 <- IP HQ FG 80E [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]PING 192.168.254.99 (192.168.254.99): 56 bytes de dados[/style][/style]

[style="vertical-align: inherit;"][style="vertical-align: inherit;"]--- 192.168.254.99 estatísticas de ping --- [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]5 pacotes transmitidos, 0 pacotes recebidos, 100% de perda de pacotes[/style][/style]

[style="vertical-align: inherit;"][style="vertical-align: inherit;"]HQ # execute ping 192.168.247.99 <- IP FILIAL FG 60E [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]PING 192.168.247.99 (192.168.247.99): 56 bytes de dados[/style][/style]

[style="vertical-align: inherit;"][style="vertical-align: inherit;"]--- 192.168.247.99 estatísticas de ping --- [/style][/style] [style="vertical-align: inherit;"][style="vertical-align: inherit;"]5 pacotes transmitidos, 0 pacotes recebidos, 100% de perda de pacotes[/style][/style]

 

[style="vertical-align: inherit;"][style="vertical-align: inherit;"] thanks for the help[/style][/style]

1 Solution
emnoc
Esteemed Contributor III

Ola

como v.c vai?

 

Desculpe meu portugues esta mal

 

Silvia você precisa habilitar permitira ping de acesso na gui pela interface ou via cli

por exemplo

  

config sys interface edit lan set allowaccess ssh https ping end

 

Você pode verificar e adicional ping?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
4 REPLIES 4
emnoc
Esteemed Contributor III

Ola

como v.c vai?

 

Desculpe meu portugues esta mal

 

Silvia você precisa habilitar permitira ping de acesso na gui pela interface ou via cli

por exemplo

  

config sys interface edit lan set allowaccess ssh https ping end

 

Você pode verificar e adicional ping?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Cleyton_Agenil_da_Si

Hello Ken Felix

Thanks for your tip, but your suggestion will not work, as I am pinging between two fortigate connected with VPN. That is, I am pinging from gateway to gateway. For example:

HQ IP WAN 200.189.180.157/28 Tunel HQ 0.0.0.0/0.0.00 LAN 192.168.254.99/24 allowaccess ssh https ping

 

HQ# execute ping 192.168.247.99 FG BRANCH PING 192.168.247.99 (192.168.247.99): 56 data bytes

--- 192.168.247.99 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss

-------------------------------------------------- -------------------------------------------------- ----

BRANCH WAN 179.178.158.144/28 TUNEL BRANCH 0.0.0.0/0.0.0.0 LAN 192.168.247.99/24 allowaccess ssh https ping

 

BRANCH# execute ping 192.168.254.99 PING 192.168.247.99 (192.168.254.99): 56 data bytes

--- 192.168.254.99 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss

emnoc
Esteemed Contributor III

Okay that is easy, do a  diag sniffer packet any "host 192.168.247.99 and icmp " 4

 

What interface do you see the pings going out of when you do the ping from HQ ? what source address? It's probably the WAN. If you have ipsec-interfaces ip address and maybe if you source from LAN address the traffic might or should go out of the ipsec interface. Do the above and paste the output of the sniffer here for analysis.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Cleyton_Agenil_da_Si

hello Ken Felix

 

Follows the result of the diag

HQ # diagnose sniffer packet any "host 192.168.247.99 and icmp" 4 interfaces = [any] filters = [host 192.168.247.99 and icmp] 3.968859 FG-BH-MATRIZ-HQ out -> 192.168.247.99: icmp: echo request 4.979935 HQ-BRANCH out 200.189.180.157 -> 192.168.247.99: icmp: echo request 5.989927 HQ-BRANCH out 200.189.180.157 -> 192.168.247.99: icmp: echo request 6.999936 HQ-BRANCH out 200.189.180.157 -> 192.168.247.99: icmp: echo request 8.009931 HQ-BRANCH out 200.189.180.157 -> 192.168.247.99: icmp: echo request

5 packets received by filter 0 packets dropped by kernel

This result indicates that the ping icmp traffic is exited through the WAN instead of exiting the tunnel.

Labels
Top Kudoed Authors