I can get a dial up vpn going and the ipsec policy works fine but spoke to spoke traffic does not work when a concentrator is added.
Debug flow shows packets ingressing from spoke1 and egressing to spoke2. The problem is that return traffic from spoke 2 is never processed by the fortigate. The flows show absolutely nothing.
The reverse path is also the same. traffic from spoke 2 to spoke 1 are received at spoke 1 but the fortigate does not process the return traffic from spoke 1.
I tried this out on 6.2.10 and the flow showed the traffaic being dropped by policy 0. After moving to a different firewall running 7.0 I now get good policy matches but no return traffic is processed.
Capturing packets on the underlay definetely shows return traffic making it to the fortigate.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello aguerriero,
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
Hello
Did you already check 'net-device' setting?
If not, here is explained in detail:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-set-net-device-new-route-based-IPsec-logic...
regards
/ Abel
I am not using ipsec interface. net-device is not an option.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.