We try to setup a IPsec tunnel between a Fortigate 100D and a Fortigate 3016B. Software version for the 100D is FortiOS5.0 Patch 4, the 3016B is using FortiOS4.0 Patch 15. Everything looks fine, tunnel is coming up (In Webgui, IPsec-Monitor) But traffic is only passing if initiated from one site (the 100D side)
So, if we ping from a server behind the 100D we are getting a response from the server on the other site. If We try this within approx. 10 min. ping from behind the 3016 is also successfull.
If try to ping from behind the 3016B after an amount of time (more then 10 a 15 minutes) we couldn't ping succesfull from a server behind the 3016B to a server behind the 100D.
(So If we initiate form behind the 100D also traffic initiated from behind the 3016B will allowed.
We have checked the configs multiple times and they are the same. Also on both Fortigates we have two policies, one from the tunnel-interface to LAN and vice-versa.
(We are using Interface mode IPsec)
Is this a known issue or compatibility problem between the fortigates/software versions? (For both units others tunnels are working fine.
We are using AES128/SHA1 for auhtentication and encryption.
I hope you can help and we can solve this problem.
Hi,
looks to me like you are doing somewhere unwanted NAT.
login to cli and have a look on both ends what IP you will see on the interfaces.
Make sure that you tick "allow traffic to be initiated from the remote site" at the policy on V5.X firewall.
Otherwise you need to do some debug and look into the tunnel to see the IPs which are
transported. Make sure that the routing is like it should be. That can cause something like that
as well.
Patrick
Hi Patrick,
thanks for your advice. Since i am a compleet noob, i like to know what i should see at the interfaces. "allow traffic to be initiated from the remote site" is ticked.
What do you mean by: make sure the routing is like it should be?
If it works, it works, once there is traffic it stays working, until there is no traffic from the other side/site for more than 10 minutes. The VPN stays up, but no traffic can pass from me side to the other side.
I would start with a diag debug flow on both firewalls with a filter that matches the traffic from your host(s) that your testing. if your not being encrypted than you have a host of issues to look at.
Also keep in mind if your using interface mode =( which I guess your are ) you can run the diag sniffer directly aganist the tunnel named interface
e.g
diag sniffer packet <tunnelnameinterface> "host 1.1.1.1"
For now run a diag debug flow on each firewall near and far;
diag debug dis
diag debug reset
diag debug flow filter addr x.x.x.x
diag debug flow show console enable
diag debug en
diag debug flow trace start 100
and then execute a ping from the host (x.x.x.x )
After completion disable the debug process
diag debug disable
The diag debug flow is your 1st step always for t-shooting for flow issues.
Ken
PCNSE
NSE
StrongSwan
Hi There
I think this was happen to me before. It showing your VPN status is UP but there is no traffic.
Try to set up a static routing to your destination.
From your Fortigate GUI Router->Static Routes and set the static routing
That should work...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.