- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ipsec vpn blackhole issue: i can't ping the other subnet throw the ipsec tunel
I have two LAN networks: the first one is 192.168.1.0/24, and the second one is 10.0.0.0/24. Each LAN is directly connected to a FortiGate firewall. I have set up a site-to-site VPN using two FortiGate virtual machines running version 7.2.0. The VPN configuration was done using the wizard.
However, when I try to ping a host in the other subnet (for example, from 192.168.1.1 to 10.0.0.2), I don't receive any response. The ping requests seem to be unsuccessful.
I researched this issue and discovered that it might be related to the black hole route created by the VPN wizard template. If anyone has experienced this problem before, I would appreciate any suggestions or solutions for resolving it. If anyone has knowledge of how to fix this, please provide guidance.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@saneeshpv_FTNT @internet_contributer @jera @hbac @dbhavsar
I want to express my gratitude to everyone. I truly appreciate all your help. I understand that I've had many requests, but when it comes to work, it's important to get things done .the issue is not in the static route or in the policies , the issue was the fortigate it self , the version that i was working with it v7.2.0-build so when i change the version it work dirctly .
- « Previous
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest you share below details from FW-A and FW-B
show firewall policy
show system interface
show router static
show vpn ipsec phase1-interface
show vpn ipsec phase2-interface
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@saneeshpv_FTNT this the confifuration of FW-B
FW-B # show firewall policy
config firewall policy
edit 1
set name "vpn_FW-B to FW-A_local_0"
set uuid 591a6154-d6d8-51ee-b08a-b3df105aaca1
set srcintf "port3"
set dstintf "FW-B to FW-A"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set comments "VPN: FW-B to FW-A (Created by VPN wizard)"
next
edit 2
set name "vpn_FW-B to FW-A_remote_0"
set uuid 5923b2cc-d6d8-51ee-485f-35ad224e9dbd
set srcintf "FW-B to FW-A"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: FW-B to FW-A (Created by VPN wizard)"
next
end
FW-B #
FW-B # show system interface
config system interface
edit "port1"
set vdom "root"
set ip 172.17.1.151 255.255.255.0
set allowaccess ping https ssh snmp http
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 30.0.0.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set snmp-index 2
next
edit "port3"
set vdom "root"
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 3
next
edit "port4"
set vdom "root"
set type physical
set snmp-index 4
next
edit "naf.root"
set vdom "root"
set type tunnel
set src-check disable
set snmp-index 5
next
edit "l2t.root"
set vdom "root"
set type tunnel
set snmp-index 6
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 7
next
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 10.255.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set lldp-reception enable
set lldp-transmission enable
set snmp-index 8
next
edit "FW-B to FW-A"
set vdom "root"
set type tunnel
set snmp-index 9
set interface "port2"
next
end
FW-B #
FW-B # show router static
config router static
edit 1
set dst 192.168.1.0 255.255.255.0
set device "FW-B to FW-A"
set comment "VPN: FW-B to FW-A (Created by VPN wizard)"
next
edit 2
set distance 50
set comment "VPN: FW-B to FW-A (Created by VPN wizard)"
set blackhole enable
set dstaddr "FW-B to FW-A_remote"
next
end
FW-B #
FW-B # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "FW-B to FW-A"
set interface "port2"
set peertype any
set net-device disable
set proposal des-md5 des-sha1
set comments "VPN: FW-B to FW-A (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 20.0.0.1
set psksecret ENC mI+yx3lLbhFfv+LD+7M7KSxMZLZ1Sbp+ziLAlFPzwq0ZbdRk/mquVlTyxB0O5dE5uoTwEKxR16PgiptwgbSGSlqKEIoKRhJ1j3BEFn85o4cih28T/yK9JWnlqummoCzDMrYIf9evtfnUYBo2gUW0PwnlNmDcUUqLQLsifNW74e0GbLc6MFa3HAOv8QaknZdXJxPjNw==
next
end
FW-B #
FW-B # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "FW-B to FW-A"
set phase1name "FW-B to FW-A"
set proposal des-md5 des-sha1
set comments "VPN: FW-B to FW-A (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "FW-B to FW-A_local"
set dst-name "FW-B to FW-A_remote"
next
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@saneeshpv_FTNT and this the configuration of FW-A :
FW-A # show firewall policy
config firewall policy
edit 1
set name "vpn_FW-A to FW-B_local_0"
set uuid 2c653f58-d6d8-51ee-c8bb-ad3f5dcd31f9
set srcintf "port3"
set dstintf "FW-A to FW-B"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: FW-A to FW-B (Created by VPN wizard)"
next
edit 2
set name "vpn_FW-A to FW-B_remote_0"
set uuid 2c7f2490-d6d8-51ee-c6be-11bef9f2be6a
set srcintf "FW-A to FW-B"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: FW-A to FW-B (Created by VPN wizard)"
next
end
FW-A #
FW-A # show system interface
config system interface
edit "port1"
set vdom "root"
set ip 172.17.1.150 255.255.255.0
set allowaccess ping https ssh snmp http
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 20.0.0.1 255.255.255.0
set allowaccess ping https ssh snmp
set type physical
set snmp-index 2
next
edit "port3"
set vdom "root"
set ip 192.168.1.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 3
next
edit "port4"
set vdom "root"
set type physical
set snmp-index 4
next
edit "naf.root"
set vdom "root"
set type tunnel
set src-check disable
set snmp-index 5
next
edit "l2t.root"
set vdom "root"
set type tunnel
set snmp-index 6
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 7
next
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 10.255.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set lldp-reception enable
set lldp-transmission enable
set snmp-index 8
next
edit "FW-A to FW-B"
set vdom "root"
set allowaccess ping https ssh
set type tunnel
set snmp-index 9
set interface "port2"
next
end
FW-A #
FW-A # show router static
config router static
edit 1
set device "FW-A to FW-B"
set comment "VPN: FW-A to FW-B (Created by VPN wizard)"
set dstaddr "FW-A to FW-B_remote"
next
edit 2
set distance 50
set comment "VPN: FW-A to FW-B (Created by VPN wizard)"
set blackhole enable
set dstaddr "FW-A to FW-B_remote"
next
end
FW-A #
FW-A # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "FW-A to FW-B"
set interface "port2"
set peertype any
set net-device disable
set proposal des-md5 des-sha1
set comments "VPN: FW-A to FW-B (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 30.0.0.1
set psksecret ENC OR14NoeOhFnXztao+TnaQlmDTE2ciQqTdTaBrCyXKCDqlywhByg4Kbh6deQR2+4qeZXeqZfks7p6oIMBXJJ93ldqWZ14nwek7fQBjdAfR2QrTjyO88gC9JjFJ71FCpJma5m9o1cNtY/mxK8cs2vG5EzK9Ewf6H9q/SlzRjAcHifOJPuNvcYAKqT2oAobMh06DD1ebw==
next
end
FW-A #
FW-A # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "FW-A to FW-B"
set phase1name "FW-A to FW-B"
set proposal des-md5 des-sha1
set comments "VPN: FW-A to FW-B (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "FW-A to FW-B_local"
set dst-name "FW-A to FW-B_remote"
next
end
Created on 02-29-2024 06:27 AM Edited on 02-29-2024 06:28 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
up up @saneeshpv_FTNT @jera @hbac @dbhavsar help him
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks bro
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@saneeshpv_FTNT @internet_contributer @jera @hbac @dbhavsar
I want to express my gratitude to everyone. I truly appreciate all your help. I understand that I've had many requests, but when it comes to work, it's important to get things done .the issue is not in the static route or in the policies , the issue was the fortigate it self , the version that i was working with it v7.2.0-build so when i change the version it work dirctly .
- « Previous
- Next »