Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- tunnel up but cant reach lan behind fortigate
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tunnel up but cant reach lan behind fortigate
Dears;
After configure site to site vpn between Fortigate 60D firewall and Cisco router ,
site A : 10.0.0.0/24 behind fortigate
site B: 10.10.10.0/24 behind cisco router
the tunnel is up and I can ping 10.0.0.1 from site B and can ping 10.10.10.1 from site A but I cant ping any ip inside 10.0.0.0/24 form site B or network 10.10.10.0/24 from site A
any suggestions please
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For starters;
configuration from cisco and fortigate
diag debug flow diagnostics
is this a routed based vpn or policy based
show commands from cisco ;
show crypto isakmp sa
show crypto ipsec sa
Diagnostic from cisco packet tracer )
packet-tracer input < nameif here > <tcp/icmp/udp pick one> <src-add> < src-port> <dst address> <dst port > ( port not an option for icmp btw )
For the fortigate;
diag vpn tunnel list
( phase2 SAs should match cisco show crypto ipsec sa )
diag vpn ike status
( phase1 SA should match cisco from the show crypto isakmp sa output )
And finally are you executing the ping from the fortigate or from a machine on LAN A & B ?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you emnoc for ypur replay
forigate configuration is
# show vpn ipsec phase1
config vpn ipsec phase1
edit " site2site"
set interface " wan1"
set keylife 86400
set proposal aes128-sha256
set remote-gw 6.x.x.x
set psksecret ENC A3t/JwWnow5Og98L2qOVhGlzcCyTIrdDA2jY/tB8Ae6w/V+fzFyGiu+pZ/Cgd67xaJKkAwl+41yms
next
end
# show vpn ipsec phase2
config vpn ipsec phase2
edit " site2sitev2"
set keepalive enable
set phase1name " site2site"
set proposal aes128-sha256
set replay disable
set dst-subnet 10.10.10.0 255.255.255.0
set keylifeseconds 86400
set src-subnet 10.0.0.0 255.255.255.0
next
end
# show firewall policy 5
config firewall policy
edit 5
set srcintf " wan1"
set dstintf " internal"
set srcaddr " all"
set dstaddr " all"
set action accept
set schedule " always"
set service " ALL"
set utm-status enable
set logtraffic disable
set av-profile " default"
set webfilter-profile " default"
set spamfilter-profile " default"
set ips-sensor " default"
set application-list " default"
set profile-protocol-options " default"
set nat enable
next
end
cisco configuration is
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
crypto isakmp key 6 key address 4.x.x.x no-xauth
!
!
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
!
crypto map kon-map 10 ipsec-isakmp
set peer 4.x.x.x
set transform-set myset
set pfs group5
match address 105
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 100 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access-list 105 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
==============================
my cisco router output is
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
6.x.x.x 4.x.x.x QM_IDLE 2004 ACTIVE
IPv6 Crypto ISAKMP SA
==============================
#show crypto ipsec sa
interface: Dialer1
Crypto map tag: kon-map, local addr 6.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
current_peer 4.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 6.x.x.x, remote crypto endpt.: 4.x.x.x
path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0xCE9BAB47(3466308423)
PFS (Y/N): Y, DH group: group5
inbound esp sas:
spi: 0xA6EAF22D(2800415277)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 1009, flow_id: SW:9, sibling_flags 80000046, crypto map: kon-map
sa timing: remaining key lifetime (k/sec): (4529363/2902)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCE9BAB47(3466308423)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 1010, flow_id: SW:10, sibling_flags 80000046, crypto map: kon-map
sa timing: remaining key lifetime (k/sec): (4529363/2902)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access1
Crypto map tag: kon-map, local addr 0.0.0.0
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
current_peer 4.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 0.0.0.0, remote crypto endpt.: 4.x.x.x
path mtu 1492, ip mtu 1492, ip mtu idb Virtual-Access1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
===================================================
fortigate output is
# diag vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=site2site ver=1 serial=1 4.x.x.x:0->6.x.x.x:0 lgwy=static tun=tunnel mode=auto bound_if=5
proxyid_num=1 child_num=0 refcnt=7 ilast=0 olast=0
stat: rxp=11 txp=11 rxb=1164 txb=1020
dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=1440
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=site2sitev2 proto=0 sa=1 ref=2 auto_negotiate=0 serial=1
src: 0:10.0.0.0/255.255.255.0:0
dst: 0:10.10.10.0/255.255.255.0:0
SA: ref=5 options=0000000d type=00 soft=0 mtu=1408 expire=1259 replaywin=0 seqno=2
life: type=01 bytes=0/0 timeout=3548/3600
dec: spi=ce9bab47 esp=aes key=16 0eee42e294225bc776d16faf15980acb
ah=sha256 key=32 2cac8b9529db04758d75c15a80f2ad73c33e158df9342c3af57af9417777688b
enc: spi=a6eaf22d esp=aes key=16 d3ebccccd38dcdcf7a25bc618b6762ea
ah=sha256 key=32 a4ad4e7b9fc4a8edc29f5870552020c33c6252ec384ab51c85a8656a58d1327b
npu_flag=03 npu_rgwy=62.114.252.42 npu_lgwy=41.33.196.90 npu_selid=0, dec:pkts/bytes=2/200, enc:pkts/bytes=11/1092
------------------------------------------------------
name=forti-vpn ver=1 serial=2 4.x.x.x:0->0.0.0.0:0 lgwy=static tun=intf mode=dialup bound_if=5
proxyid_num=0 child_num=0 refcnt=4 ilast=7773 olast=7773
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=active on=0 idle=5000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
==========
# diag vpn ike status
connection: 1/2
IKE SA: created 1/2 established 1/1 times 8640/8640/8640 ms
IPsec SA: created 1/1 established 1/1 times 190/190/190 ms
==========================================
when ping from cisco router to lan behind fortigate I acn ping only internal interface of fortigate
#ping 10.0.0.1 source vlan1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/164/384 ms
r#ping 10.0.0.100 source vlan1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.100, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
.....
Success rate is 0 percent (0/5)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1st off ; diag debug flow is your friend in this case but really quick here' s my initial observation while I await my plane departure.
item#1
" set nat enable " you don' t need this enable on this fwpolicy if it' s the correct policy for the VPN
item#2
This is a route-based vpn ( based on the policy #5 ) so you should have a static route to the cisco local lan-network installed on the fortigate
item#3 ( this is a route for a route-base vpn )
config router static
edit 88 ( pick a number not used )
set dst 10.10.10.0/24
set device site2sitev2
end
item#4
Next, the fwpolicy #5 does not match any of the VPN interface configs, so it' s unclear as to what your doing. But, what I think you need & based on the cfg you provided;
config firewall address
edit LAN_LOCAL
set subnet 10.0.0.0/24
next
edit CISCO_LAN
set subnet 10.10.10.0/24
end
config firewall policy
edit 0
set srcintf " site2site"
set dstintf " internal"
set dstaddr " LAN_LOCAL"
set srcaddr " CISCO_LAN"
set action accept
set schedule " always"
set service " ALL"
next
edit 0
set srcintf " internal"
set dstintf " site2site"
set srcaddr " LAN_LOCAL"
set dstaddr " CISCO_LAN"
set action accept
set schedule " always"
set service " ALL"
next
end
Once again diag debug flow will show you want policies are matched ( if any ) and other diagnostics that gives clues to the problems;
implicit drop
RPF fails
access fails
deny by another policy
etc.....
You can reference my blog posting on basic diagnostics for cisco fortigate and others here;
http://socpuppet.blogspot.com/2013/03/flow-diagnostic-fortigate.html
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry for mistake
the right policy I used
# show firewall policy 1
config firewall policy
edit 1
set srcintf " lan"
set dstintf " wan1"
set srcaddr " hq-network" (10.0.0.0/24)
set dstaddr " kon-network" (10.10.10.0/24)
set action ipsec
set schedule " always"
set service " ALL"
set inbound enable
set outbound enable
set vpntunnel " site2site"
next
end
----
I can ping cisco router 10.10.10.1 from the firewall but cant from pc in fortigate lan 10.0.0.0/24
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You really should stay away from policy based tunneling. If you had defined this tunnel in interface mode, all networks behind the next hop could be assigned easily with static routing from the hub. You cannot get to remote subnets using policy based routing (PBR).
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so can you post me configuration to cisco router and fortigate to make this vpn working fine
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much rwpatterson for your replay I appreciate that
I changed the fortigate tunnel to interface mode and it is working fine
But I noticed some devices in both sides can' t ping or reach each other
and the vpn is too slow where my adsl connection is 6 Mbps
did I miss something
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The diag debug flow is your friend. Also ensure ping is operational on the target(s).
oh,
Since you mention slow and ADSL, the uplink will not be symmetrical, what' s the bandwidth usages and utilization over both the ISP uplink when you are testing? What' s your uplink bandwdith ( 384/512/1544/3048 kbps ?? )?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks emnoc
no output from The diag debug flow command
-site A have leased line with 6 Mbps (upload =768 kbyte download =768 kbyte )
-site B have Adsl connection 4 Mbps (upload =128 kbyte downlaod=512 kbyte)
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,803 -
FortiClient
1,787 -
5.2
801 -
FortiManager
744 -
5.4
639 -
FortiAnalyzer
566 -
FortiSwitch
481 -
FortiAP
476 -
FortiClient EMS
438 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
256 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
217 -
FortiWeb
211 -
5.0
196 -
FortiNAC
195 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
110 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
58 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
DNS
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
NAT
37 -
RADIUS
36 -
Certificate
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
SSO
33 -
Interface
32 -
VDOM
32 -
FortiConnect
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
23 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1744 | |
| 1114 | |
| 760 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.