Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
khalilbouzaiene1
Contributor

Created on ‎02-23-2024 01:32 AM

ipsec vpn blackhole issue: i can't ping the other subnet throw the ipsec tunel

I have two LAN networks: the first one is 192.168.1.0/24, and the second one is 10.0.0.0/24. Each LAN is directly connected to a FortiGate firewall. I have set up a site-to-site VPN using two FortiGate virtual machines running version 7.2.0. The VPN configuration was done using the wizard.

However, when I try to ping a host in the other subnet (for example, from 192.168.1.1 to 10.0.0.2), I don't receive any response. The ping requests seem to be unsuccessful.

I researched this issue and discovered that it might be related to the black hole route created by the VPN wizard template. If anyone has experienced this problem before, I would appreciate any suggestions or solutions for resolving it. If anyone has knowledge of how to fix this, please provide guidance.

Labels:
6072
0 Kudos
1 Solution
khalilbouzaiene1
Contributor

Created on ‎02-29-2024 08:40 AM

@saneeshpv_FTNT @internet_contributer  @jera  @hbac @dbhavsar 

I want to express my gratitude to everyone. I truly appreciate all your help. I understand that I've had many requests, but when it comes to work, it's important to get things done .the issue is not in the static route or in the policies  , the issue was the fortigate it self , the version that i was working with it v7.2.0-build so when i change the version it work dirctly . 

View solution in original post

5386
0 Kudos
35 REPLIES 35
jera
Staff
Staff

Created on ‎02-23-2024 02:19 AM Edited on ‎02-23-2024 02:24 AM

Hi @khalilbouzaiene1 ,

 

Setup:

192.168.1.0/24 <> FW1 <IPSEC> FW2 <>  (10.0.0.0/24)

 

Good day! The first thing you need to check is the availability of  routes going to your remote LAN (10.0.0.0/24) from your FW1.  This  network should be learned from your IPSEC interface.

 

If you are learning the 10.0.0.0/24 from your wan/other interface, make sure to configure the route via IPSEC with a lower administrative distance.

 

config router static
    edit <id>
        set dst 10.0.0.0/24
        set distance <value>
        set device "to_IPSEC"
    next
end

You should do the same route verification in FW2. The 192.168.1.0/24 must be learned from your IPSEC interface. You can double check your IPSEC configuration using this guide:

 

https://docs.fortinet.com/document/fortigate/7.2.7/administration-guide/913287/basic-site-to-site-vp...

 

IPSEC Troubleshooting Guide: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-IPsec-Site-to-Site-T...

 

JE
1856
khalilbouzaiene1
Contributor
In response to jera

Created on ‎02-23-2024 03:14 AM

in my case juste i have created the vpn tunel with the wizard template and no thnig else 
this the topology of my network 
topologie.png

and the static rules created by the wizard template are here 
FW-A 

 

FW-A.png

and also in the other fortigate : FW-B 
FW-B.png

 

do i need to add that configuration so that the ping will be successfull ?!!!

1842
0 Kudos
Rajneesh
Staff
Staff

Created on ‎02-23-2024 04:03 AM

Hello @khalilbouzaiene1 

You can run the sniffer on one of the FGT to check if he is sending the traffic out or not :

diagnose sniffer packet any 'host <source IP of user behind FGT> and icmp 4 0 l

Same you can tun on the other FGT to check if that device is also receiving packets or not.

 

1831
khalilbouzaiene1
Contributor

Created on ‎02-23-2024 04:57 AM Edited on ‎02-23-2024 05:05 AM

no thing yet guys no one of these preposition is the solution
and the packet they can't reatch the fortigate vpn interface when i try to sniffing the packet on my vpn interface

1820
0 Kudos
saneeshpv_FTNT
Staff
Staff
In response to khalilbouzaiene1

Created on ‎02-23-2024 05:08 AM

@khalilbouzaiene1 

 

You can make this tunnel to a Custom tunnel and then remove the Gateway configuration from the Static routes at each side which is incorrect.

 

Once that is done you will be able to ping.

 

Best Regards

1814
khalilbouzaiene1
Contributor
In response to saneeshpv_FTNT

Created on ‎02-23-2024 08:16 AM

hi 
i have tryed also to do a custom tunel , it have been estableched and it bring up but also i can't ping the host in the other lan 

when i ping from the  lan interface  which directly connectted to the fortigate to the other lan interface which also connected to the other foertigate , (192.168.1.1 --> 10.0.0.1 )it work  but when i try to ping the host no thing (192.168.1.2 ---> 10.0.0.2 )

1785
0 Kudos
jera
Staff
Staff

Created on ‎02-23-2024 10:53 PM

Hello @khalilbouzaiene1 ,

 

It's a great progress. If you are able to ping from local LAN gateway to remote LAN gateway (vise versa) , it means the tunnel is now working.

 

If the ping source is your server and can't reach the remote LAN Server. You can do another sniffer trace using only the remote IP as host to check if you have a two way traffic. 

 

If no logs generated on sniffer trace, it's possible that your server do not have the proper default gateway. If you see in/out traffic on sniffer it means that ICMP is blocked from your servers.

 

 

JE
1768
khalilbouzaiene1
Contributor
In response to jera

Created on ‎02-25-2024 11:44 PM

hello jera hope you doing well 
so after the sniffer test that i have done so fare , i notice that when i try to ping the other host in the other lan (10.0.0.2) from the host (192.168.1.2) and in the same time i write this cmd in the cli of the fw-a i have  these logs :sniffer 1.png

and also when i wrote the same cmd in the cli if the fw-b  i have these logs : 
sniffer 2.png

so when i try to ping the other host  from the 192.lan , the packet are resived on the port 3 interface and do not forwarded to the int of the tunel  

1649
0 Kudos
khalilbouzaiene1
Contributor
In response to khalilbouzaiene1

Created on ‎02-25-2024 11:51 PM

and also i have done other test 
i try to ping the other host from the fortigate lan interface (192.168.1.1) ,  so for this i wrote these cmd in fw-a cli 
execute ping-options source 192.168.1.1 
execute ping 10.0.0.2
and also in the other fortigate b i write this commande to sniffer the packet recived 
and i have these logs 
sniffer 3.png
so in my case i thing that there is no gateway issue 

1648
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.