I have two LAN networks: the first one is 192.168.1.0/24, and the second one is 10.0.0.0/24. Each LAN is directly connected to a FortiGate firewall. I have set up a site-to-site VPN using two FortiGate virtual machines running version 7.2.0. The VPN configuration was done using the wizard.
However, when I try to ping a host in the other subnet (for example, from 192.168.1.1 to 10.0.0.2), I don't receive any response. The ping requests seem to be unsuccessful.
I researched this issue and discovered that it might be related to the black hole route created by the VPN wizard template. If anyone has experienced this problem before, I would appreciate any suggestions or solutions for resolving it. If anyone has knowledge of how to fix this, please provide guidance.
Solved! Go to Solution.
@saneeshpv_FTNT @internet_contributer @jera @hbac @dbhavsar
I want to express my gratitude to everyone. I truly appreciate all your help. I understand that I've had many requests, but when it comes to work, it's important to get things done .the issue is not in the static route or in the policies , the issue was the fortigate it self , the version that i was working with it v7.2.0-build so when i change the version it work dirctly .
I would suggest you share below details from FW-A and FW-B
show firewall policy
show system interface
show router static
show vpn ipsec phase1-interface
show vpn ipsec phase2-interface
Regards
@saneeshpv_FTNT this the confifuration of FW-B
FW-B # show firewall policy
config firewall policy
edit 1
set name "vpn_FW-B to FW-A_local_0"
set uuid 591a6154-d6d8-51ee-b08a-b3df105aaca1
set srcintf "port3"
set dstintf "FW-B to FW-A"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set comments "VPN: FW-B to FW-A (Created by VPN wizard)"
next
edit 2
set name "vpn_FW-B to FW-A_remote_0"
set uuid 5923b2cc-d6d8-51ee-485f-35ad224e9dbd
set srcintf "FW-B to FW-A"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: FW-B to FW-A (Created by VPN wizard)"
next
end
FW-B #
FW-B # show system interface
config system interface
edit "port1"
set vdom "root"
set ip 172.17.1.151 255.255.255.0
set allowaccess ping https ssh snmp http
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 30.0.0.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set snmp-index 2
next
edit "port3"
set vdom "root"
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 3
next
edit "port4"
set vdom "root"
set type physical
set snmp-index 4
next
edit "naf.root"
set vdom "root"
set type tunnel
set src-check disable
set snmp-index 5
next
edit "l2t.root"
set vdom "root"
set type tunnel
set snmp-index 6
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 7
next
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 10.255.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set lldp-reception enable
set lldp-transmission enable
set snmp-index 8
next
edit "FW-B to FW-A"
set vdom "root"
set type tunnel
set snmp-index 9
set interface "port2"
next
end
FW-B #
FW-B # show router static
config router static
edit 1
set dst 192.168.1.0 255.255.255.0
set device "FW-B to FW-A"
set comment "VPN: FW-B to FW-A (Created by VPN wizard)"
next
edit 2
set distance 50
set comment "VPN: FW-B to FW-A (Created by VPN wizard)"
set blackhole enable
set dstaddr "FW-B to FW-A_remote"
next
end
FW-B #
FW-B # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "FW-B to FW-A"
set interface "port2"
set peertype any
set net-device disable
set proposal des-md5 des-sha1
set comments "VPN: FW-B to FW-A (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 20.0.0.1
set psksecret ENC mI+yx3lLbhFfv+LD+7M7KSxMZLZ1Sbp+ziLAlFPzwq0ZbdRk/mquVlTyxB0O5dE5uoTwEKxR16PgiptwgbSGSlqKEIoKRhJ1j3BEFn85o4cih28T/yK9JWnlqummoCzDMrYIf9evtfnUYBo2gUW0PwnlNmDcUUqLQLsifNW74e0GbLc6MFa3HAOv8QaknZdXJxPjNw==
next
end
FW-B #
FW-B # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "FW-B to FW-A"
set phase1name "FW-B to FW-A"
set proposal des-md5 des-sha1
set comments "VPN: FW-B to FW-A (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "FW-B to FW-A_local"
set dst-name "FW-B to FW-A_remote"
next
end
@saneeshpv_FTNT and this the configuration of FW-A :
FW-A # show firewall policy
config firewall policy
edit 1
set name "vpn_FW-A to FW-B_local_0"
set uuid 2c653f58-d6d8-51ee-c8bb-ad3f5dcd31f9
set srcintf "port3"
set dstintf "FW-A to FW-B"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: FW-A to FW-B (Created by VPN wizard)"
next
edit 2
set name "vpn_FW-A to FW-B_remote_0"
set uuid 2c7f2490-d6d8-51ee-c6be-11bef9f2be6a
set srcintf "FW-A to FW-B"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: FW-A to FW-B (Created by VPN wizard)"
next
end
FW-A #
FW-A # show system interface
config system interface
edit "port1"
set vdom "root"
set ip 172.17.1.150 255.255.255.0
set allowaccess ping https ssh snmp http
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 20.0.0.1 255.255.255.0
set allowaccess ping https ssh snmp
set type physical
set snmp-index 2
next
edit "port3"
set vdom "root"
set ip 192.168.1.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 3
next
edit "port4"
set vdom "root"
set type physical
set snmp-index 4
next
edit "naf.root"
set vdom "root"
set type tunnel
set src-check disable
set snmp-index 5
next
edit "l2t.root"
set vdom "root"
set type tunnel
set snmp-index 6
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 7
next
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 10.255.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set lldp-reception enable
set lldp-transmission enable
set snmp-index 8
next
edit "FW-A to FW-B"
set vdom "root"
set allowaccess ping https ssh
set type tunnel
set snmp-index 9
set interface "port2"
next
end
FW-A #
FW-A # show router static
config router static
edit 1
set device "FW-A to FW-B"
set comment "VPN: FW-A to FW-B (Created by VPN wizard)"
set dstaddr "FW-A to FW-B_remote"
next
edit 2
set distance 50
set comment "VPN: FW-A to FW-B (Created by VPN wizard)"
set blackhole enable
set dstaddr "FW-A to FW-B_remote"
next
end
FW-A #
FW-A # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "FW-A to FW-B"
set interface "port2"
set peertype any
set net-device disable
set proposal des-md5 des-sha1
set comments "VPN: FW-A to FW-B (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 30.0.0.1
set psksecret ENC OR14NoeOhFnXztao+TnaQlmDTE2ciQqTdTaBrCyXKCDqlywhByg4Kbh6deQR2+4qeZXeqZfks7p6oIMBXJJ93ldqWZ14nwek7fQBjdAfR2QrTjyO88gC9JjFJ71FCpJma5m9o1cNtY/mxK8cs2vG5EzK9Ewf6H9q/SlzRjAcHifOJPuNvcYAKqT2oAobMh06DD1ebw==
next
end
FW-A #
FW-A # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "FW-A to FW-B"
set phase1name "FW-A to FW-B"
set proposal des-md5 des-sha1
set comments "VPN: FW-A to FW-B (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "FW-A to FW-B_local"
set dst-name "FW-A to FW-B_remote"
next
end
Created on 02-29-2024 06:27 AM Edited on 02-29-2024 06:28 AM
up up @saneeshpv_FTNT @jera @hbac @dbhavsar help him
thanks bro
@saneeshpv_FTNT @internet_contributer @jera @hbac @dbhavsar
I want to express my gratitude to everyone. I truly appreciate all your help. I understand that I've had many requests, but when it comes to work, it's important to get things done .the issue is not in the static route or in the policies , the issue was the fortigate it self , the version that i was working with it v7.2.0-build so when i change the version it work dirctly .
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.