ipsec vpn blackhole issue: i can't ping the other subnet throw the ipsec tunel

khalilbouzaiene1 · ‎02-23-2024

I have two LAN networks: the first one is 192.168.1.0/24, and the second one is 10.0.0.0/24. Each LAN is directly connected to a FortiGate firewall. I have set up a site-to-site VPN using two FortiGate virtual machines running version 7.2.0. The VPN configuration was done using the wizard.

However, when I try to ping a host in the other subnet (for example, from 192.168.1.1 to 10.0.0.2), I don't receive any response. The ping requests seem to be unsuccessful.

I researched this issue and discovered that it might be related to the black hole route created by the VPN wizard template. If anyone has experienced this problem before, I would appreciate any suggestions or solutions for resolving it. If anyone has knowledge of how to fix this, please provide guidance.

khalilbouzaiene1 · ‎02-29-2024

@saneeshpv_FTNT @internet_contributer @jera @hbac @dbhavsar

I want to express my gratitude to everyone. I truly appreciate all your help. I understand that I've had many requests, but when it comes to work, it's important to get things done .the issue is not in the static route or in the policies , the issue was the fortigate it self , the version that i was working with it v7.2.0-build so when i change the version it work dirctly .

View solution in original post

jera · ‎02-23-2024

Hi @khalilbouzaiene1 ,

Setup:

192.168.1.0/24 <> FW1 <IPSEC> FW2 <> (10.0.0.0/24)

Good day! The first thing you need to check is the availability of routes going to your remote LAN (10.0.0.0/24) from your FW1. This network should be learned from your IPSEC interface.

If you are learning the 10.0.0.0/24 from your wan/other interface, make sure to configure the route via IPSEC with a lower administrative distance.

config router static
    edit <id>
        set dst 10.0.0.0/24
        set distance <value>
        set device "to_IPSEC"
    next
end

You should do the same route verification in FW2. The 192.168.1.0/24 must be learned from your IPSEC interface. You can double check your IPSEC configuration using this guide:

https://docs.fortinet.com/document/fortigate/7.2.7/administration-guide/913287/basic-site-to-site-vp...

IPSEC Troubleshooting Guide: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-IPsec-Site-to-Site-T...

JE

khalilbouzaiene1 · ‎02-23-2024

in my case juste i have created the vpn tunel with the wizard template and no thnig else
this the topology of my network

and the static rules created by the wizard template are here
FW-A

and also in the other fortigate : FW-B

do i need to add that configuration so that the ping will be successfull ?!!!

Rajneesh · ‎02-23-2024

Hello @khalilbouzaiene1

You can run the sniffer on one of the FGT to check if he is sending the traffic out or not :

diagnose sniffer packet any 'host <source IP of user behind FGT> and icmp 4 0 l

Same you can tun on the other FGT to check if that device is also receiving packets or not.

khalilbouzaiene1 · ‎02-23-2024

no thing yet guys no one of these preposition is the solution
and the packet they can't reatch the fortigate vpn interface when i try to sniffing the packet on my vpn interface

saneeshpv_FTNT · ‎02-23-2024

@khalilbouzaiene1

You can make this tunnel to a Custom tunnel and then remove the Gateway configuration from the Static routes at each side which is incorrect.

Once that is done you will be able to ping.

Best Regards

khalilbouzaiene1 · ‎02-23-2024

hi
i have tryed also to do a custom tunel , it have been estableched and it bring up but also i can't ping the host in the other lan

when i ping from the lan interface which directly connectted to the fortigate to the other lan interface which also connected to the other foertigate , (192.168.1.1 --> 10.0.0.1 )it work but when i try to ping the host no thing (192.168.1.2 ---> 10.0.0.2 )

jera · ‎02-23-2024

Hello @khalilbouzaiene1 ,

It's a great progress. If you are able to ping from local LAN gateway to remote LAN gateway (vise versa) , it means the tunnel is now working.

If the ping source is your server and can't reach the remote LAN Server. You can do another sniffer trace using only the remote IP as host to check if you have a two way traffic.

If no logs generated on sniffer trace, it's possible that your server do not have the proper default gateway. If you see in/out traffic on sniffer it means that ICMP is blocked from your servers.

JE

khalilbouzaiene1 · ‎02-25-2024

hello jera hope you doing well
so after the sniffer test that i have done so fare , i notice that when i try to ping the other host in the other lan (10.0.0.2) from the host (192.168.1.2) and in the same time i write this cmd in the cli of the fw-a i have these logs :

and also when i wrote the same cmd in the cli if the fw-b i have these logs :

so when i try to ping the other host from the 192.lan , the packet are resived on the port 3 interface and do not forwarded to the int of the tunel

khalilbouzaiene1 · ‎02-25-2024

and also i have done other test
i try to ping the other host from the fortigate lan interface (192.168.1.1) , so for this i wrote these cmd in fw-a cli
execute ping-options source 192.168.1.1
execute ping 10.0.0.2
and also in the other fortigate b i write this commande to sniffer the packet recived
and i have these logs

so in my case i thing that there is no gateway issue