Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pmehta
New Contributor

Virtual server and VPN

Hey, I need to setup Site-to-site vpn to have access to the created Virtual servers. i have the virtual server created on Untrust zone and the real servers are on the DMZ zone. The virtual server ip is 10.10.20.6(Name: CMD) (we are choosing private ip for some reason) The Ipsec phase two is setup for 10.10.20.0/24 and remote subnet 192.168.55.0/24 . The firewall policy from Untrust to DMZ is set to : set srcintf " DMZ" set dstintf " Untrust" set srcaddr " 1275K-DMZ" set dstaddr " 192.168.55.0/24" set action ipsec set schedule " always" set service " ANY" set inbound enable set outbound enable set vpntunnel " VPNSav" Please advise if we i can some how setup the Virtual IP to be accessible from VPN. The phase 2 tunnel comes up but i cannot ping the virtual server ip 10.10.20.6 from the remote network 192.168.55.0/24. Please help me
P M
P M
5 REPLIES 5
pmehta
New Contributor

Any help suggestions to read some blogs/pdfs would be helpful
P M
P M
pmehta
New Contributor

hmm...
P M
P M
rwpatterson
Valued Contributor III

In my opinion, I would change the tunnel type from policy based to interface based. At this point you could simply use the VIP as the destination.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
pmehta
New Contributor

In my opinion, I would change the tunnel type from policy based to interface based. At this point you could simply use the VIP as the destination.
I setup interface mode VPN between the cisco and Fortigate. (used the Gre over IPsec Guide) The VPN comes up. I can see the SPIs being set and tunnel shows up. Put I cannot ping the Tunnel ip addresses. When i do so i get these traffic logs on fortigate 10: 2011-11-20 14:05:37 log_id=0038000007 type=traffic subtype=other pri=warning status=deny vd=" root" src=208.x.x.x8 srcname=208.x.x.x8 src_port=0 dst=208.x.x.x7 dstname=208.x.x.x7 dst_country=" United States" dst_port=0 service=other proto=47 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name=" N/A" shaper_rcvd_name=" N/A" perip_name=" N/A" vpn=" N/A" vpn_type=UNKNOWN(65535) vpn_tunnel=" N/A" src_int=" root" dst_int=" N/A" SN=97151 app=" N/A" app_cat=" N/A" user=" N/A" group=" N/A" msg=" iprope_in_check() check failed, drop" carrier_ep=" N/A" profilegroup=" N/A" This is when I issue a Ping 2: 2011-11-20 14:05:58 log_id=0038000006 type=traffic subtype=other pri=warning status=deny vd=" root" src=208.x.x.x7 srcname=208.x.x.x7 src_port=0 dst=208.x.x.x8 dstname=208.x.x.x8 dst_country=" United States" dst_port=770 service=3/2/icmp proto=1 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name=" N/A" shaper_rcvd_name=" N/A" perip_name=" N/A" vpn=" N/A" vpn_type=UNKNOWN(65535) vpn_tunnel=" N/A" src_int=" N/A" dst_int=" N/A" SN=4294967295 app=" N/A" app_cat=" N/A" user=" N/A" group=" N/A" msg=" no protocol tuple found, drop." carrier_ep=" N/A" profilegroup=" N/A" These are the firewall rules edit 10 set srcintf " DMZ" set dstintf " gre1" //gre1 is the gre interface set srcaddr " all" //tocisco is the ipsec interface. set dstaddr " all" set action accept set schedule " always" set service " ANY" next edit 20 set srcintf " gre1" set dstintf " DMZ" set srcaddr " all" set dstaddr " all" set action accept set schedule " always" set service " ANY" next edit 30 set srcintf " gre1" set dstintf " tocisco" set srcaddr " all" set dstaddr " all" set action accept set schedule " always" set service " ANY" next edit 40 set srcintf " tocisco" set dstintf " gre1" set srcaddr " all" set dstaddr " all" set action accept set schedule " always" set service " ANY" Please advise if you would like the entire configs
P M
P M
pmehta
New Contributor

Just to point ou that the src_int and dst_int in the above logs is showing N/A Dont knw why is that. Ideally should be from ipsec to gre .... I mean i have setup the gre interface as ip 10.0.1.1 and the remote on it is 10.0.1.2
P M
P M
Top Kudoed Authors