- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: ipsec vpn blackhole issue: i can't ping the ot...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ipsec vpn blackhole issue: i can't ping the other subnet throw the ipsec tunel
I have two LAN networks: the first one is 192.168.1.0/24, and the second one is 10.0.0.0/24. Each LAN is directly connected to a FortiGate firewall. I have set up a site-to-site VPN using two FortiGate virtual machines running version 7.2.0. The VPN configuration was done using the wizard.
However, when I try to ping a host in the other subnet (for example, from 192.168.1.1 to 10.0.0.2), I don't receive any response. The ping requests seem to be unsuccessful.
I researched this issue and discovered that it might be related to the black hole route created by the VPN wizard template. If anyone has experienced this problem before, I would appreciate any suggestions or solutions for resolving it. If anyone has knowledge of how to fix this, please provide guidance.
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@saneeshpv_FTNT @internet_contributer @jera @hbac @dbhavsar
I want to express my gratitude to everyone. I truly appreciate all your help. I understand that I've had many requests, but when it comes to work, it's important to get things done .the issue is not in the static route or in the policies , the issue was the fortigate it self , the version that i was working with it v7.2.0-build so when i change the version it work dirctly .
- « Previous
- Next »
35 REPLIES 35
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest you share below details from FW-A and FW-B
show firewall policy
show system interface
show router static
show vpn ipsec phase1-interface
show vpn ipsec phase2-interface
Regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@saneeshpv_FTNT this the confifuration of FW-B
FW-B # show firewall policy
config firewall policy
edit 1
set name "vpn_FW-B to FW-A_local_0"
set uuid 591a6154-d6d8-51ee-b08a-b3df105aaca1
set srcintf "port3"
set dstintf "FW-B to FW-A"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set comments "VPN: FW-B to FW-A (Created by VPN wizard)"
next
edit 2
set name "vpn_FW-B to FW-A_remote_0"
set uuid 5923b2cc-d6d8-51ee-485f-35ad224e9dbd
set srcintf "FW-B to FW-A"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: FW-B to FW-A (Created by VPN wizard)"
next
end
FW-B #
FW-B # show system interface
config system interface
edit "port1"
set vdom "root"
set ip 172.17.1.151 255.255.255.0
set allowaccess ping https ssh snmp http
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 30.0.0.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set snmp-index 2
next
edit "port3"
set vdom "root"
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 3
next
edit "port4"
set vdom "root"
set type physical
set snmp-index 4
next
edit "naf.root"
set vdom "root"
set type tunnel
set src-check disable
set snmp-index 5
next
edit "l2t.root"
set vdom "root"
set type tunnel
set snmp-index 6
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 7
next
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 10.255.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set lldp-reception enable
set lldp-transmission enable
set snmp-index 8
next
edit "FW-B to FW-A"
set vdom "root"
set type tunnel
set snmp-index 9
set interface "port2"
next
end
FW-B #
FW-B # show router static
config router static
edit 1
set dst 192.168.1.0 255.255.255.0
set device "FW-B to FW-A"
set comment "VPN: FW-B to FW-A (Created by VPN wizard)"
next
edit 2
set distance 50
set comment "VPN: FW-B to FW-A (Created by VPN wizard)"
set blackhole enable
set dstaddr "FW-B to FW-A_remote"
next
end
FW-B #
FW-B # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "FW-B to FW-A"
set interface "port2"
set peertype any
set net-device disable
set proposal des-md5 des-sha1
set comments "VPN: FW-B to FW-A (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 20.0.0.1
set psksecret ENC mI+yx3lLbhFfv+LD+7M7KSxMZLZ1Sbp+ziLAlFPzwq0ZbdRk/mquVlTyxB0O5dE5uoTwEKxR16PgiptwgbSGSlqKEIoKRhJ1j3BEFn85o4cih28T/yK9JWnlqummoCzDMrYIf9evtfnUYBo2gUW0PwnlNmDcUUqLQLsifNW74e0GbLc6MFa3HAOv8QaknZdXJxPjNw==
next
end
FW-B #
FW-B # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "FW-B to FW-A"
set phase1name "FW-B to FW-A"
set proposal des-md5 des-sha1
set comments "VPN: FW-B to FW-A (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "FW-B to FW-A_local"
set dst-name "FW-B to FW-A_remote"
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@saneeshpv_FTNT and this the configuration of FW-A :
FW-A # show firewall policy
config firewall policy
edit 1
set name "vpn_FW-A to FW-B_local_0"
set uuid 2c653f58-d6d8-51ee-c8bb-ad3f5dcd31f9
set srcintf "port3"
set dstintf "FW-A to FW-B"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: FW-A to FW-B (Created by VPN wizard)"
next
edit 2
set name "vpn_FW-A to FW-B_remote_0"
set uuid 2c7f2490-d6d8-51ee-c6be-11bef9f2be6a
set srcintf "FW-A to FW-B"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: FW-A to FW-B (Created by VPN wizard)"
next
end
FW-A #
FW-A # show system interface
config system interface
edit "port1"
set vdom "root"
set ip 172.17.1.150 255.255.255.0
set allowaccess ping https ssh snmp http
set type physical
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 20.0.0.1 255.255.255.0
set allowaccess ping https ssh snmp
set type physical
set snmp-index 2
next
edit "port3"
set vdom "root"
set ip 192.168.1.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 3
next
edit "port4"
set vdom "root"
set type physical
set snmp-index 4
next
edit "naf.root"
set vdom "root"
set type tunnel
set src-check disable
set snmp-index 5
next
edit "l2t.root"
set vdom "root"
set type tunnel
set snmp-index 6
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 7
next
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 10.255.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set lldp-reception enable
set lldp-transmission enable
set snmp-index 8
next
edit "FW-A to FW-B"
set vdom "root"
set allowaccess ping https ssh
set type tunnel
set snmp-index 9
set interface "port2"
next
end
FW-A #
FW-A # show router static
config router static
edit 1
set device "FW-A to FW-B"
set comment "VPN: FW-A to FW-B (Created by VPN wizard)"
set dstaddr "FW-A to FW-B_remote"
next
edit 2
set distance 50
set comment "VPN: FW-A to FW-B (Created by VPN wizard)"
set blackhole enable
set dstaddr "FW-A to FW-B_remote"
next
end
FW-A #
FW-A # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "FW-A to FW-B"
set interface "port2"
set peertype any
set net-device disable
set proposal des-md5 des-sha1
set comments "VPN: FW-A to FW-B (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 30.0.0.1
set psksecret ENC OR14NoeOhFnXztao+TnaQlmDTE2ciQqTdTaBrCyXKCDqlywhByg4Kbh6deQR2+4qeZXeqZfks7p6oIMBXJJ93ldqWZ14nwek7fQBjdAfR2QrTjyO88gC9JjFJ71FCpJma5m9o1cNtY/mxK8cs2vG5EzK9Ewf6H9q/SlzRjAcHifOJPuNvcYAKqT2oAobMh06DD1ebw==
next
end
FW-A #
FW-A # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "FW-A to FW-B"
set phase1name "FW-A to FW-B"
set proposal des-md5 des-sha1
set comments "VPN: FW-A to FW-B (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "FW-A to FW-B_local"
set dst-name "FW-A to FW-B_remote"
next
end
Created on 02-29-2024 06:27 AM Edited on 02-29-2024 06:28 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
up up @saneeshpv_FTNT @jera @hbac @dbhavsar help him
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks bro
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@saneeshpv_FTNT @internet_contributer @jera @hbac @dbhavsar
I want to express my gratitude to everyone. I truly appreciate all your help. I understand that I've had many requests, but when it comes to work, it's important to get things done .the issue is not in the static route or in the policies , the issue was the fortigate it self , the version that i was working with it v7.2.0-build so when i change the version it work dirctly .
- « Previous
- Next »
Related Posts
- ipsec vpn blackhole issue: i can't... 3015 Views
- ospf multiple process in vdom 1278 Views
- How to block specific subnet not... 504 Views
- Blocking Bogons 3679 Views
- IPsec/SSL VPN no connection to OSPF... 972 Views
Labels
-
FortiGate
6,655 -
FortiClient
1,327 -
5.2
801 -
5.4
639 -
FortiManager
576 -
FortiAnalyzer
421 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
271 -
FortiMail
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
158 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Logging
13 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.