I have two fortigate 60F which connected via ipsec (HQ office and branch office)
I need to allow users from branch office to connect to HQ's web server.
currently i can ping from HQ to branch office users, but not able from branch to HQ's office.
I am new to fortigate configuration, guys can u help me what i need to configure?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
resolved, on branch side the IPSec vpn settings was wrong (Wrong interface)
Hi @Umirzak ,
Is PING allowed on HQ office? Sometime it has something to do with the Windows Firewall so it is worth checking. You may refer to the following article:
just tried to debug from fortigate on branch office
tengizfg # dia deb flow filter addr 192.168.50.99 (this is HQ's Fortifate)
tengizfg # dia deb flow filter proto 1
tengizfg # dia deb flow trace start 100
tengizfg # dia deb en
tengizfg #
tengizfg # id=65308 trace_id=92 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.150:1->192.168.50.99:2048) tun_id=0.0.0.0 from Teng
izlan. type=8, code=0, id=1, seq=96."
id=65308 trace_id=92 func=init_ip_session_common line=6009 msg="allocate a new session-00248759, tun_id=0.0.0.0"
id=65308 trace_id=92 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-89.218.165.138 via 2HQ"
id=65308 trace_id=92 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=32, len=1"
id=65308 trace_id=92 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=93 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.150:1->192.168.50.99:2048) tun_id=0.0.0.0 from Tengizlan. type
=8, code=0, id=1, seq=97."
id=65308 trace_id=93 func=init_ip_session_common line=6009 msg="allocate a new session-002487fa, tun_id=0.0.0.0"
id=65308 trace_id=93 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-89.218.165.138 via 2HQ"
id=65308 trace_id=93 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=32, len=1"
id=65308 trace_id=93 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=94 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.150:1->192.168.50.99:2048) tun_id=0.0.0.0 from Tengizlan. type
=8, code=0, id=1, seq=98."
id=65308 trace_id=94 func=init_ip_session_common line=6009 msg="allocate a new session-0024887c, tun_id=0.0.0.0"
id=65308 trace_id=94 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-89.218.165.138 via 2HQ"
id=65308 trace_id=94 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=32, len=1"
id=65308 trace_id=94 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=95 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.150:1->192.168.50.99:2048) tun_id=0.0.0.0 from Tengizlan. type
=8, code=0, id=1, seq=99."
id=65308 trace_id=95 func=init_ip_session_common line=6009 msg="allocate a new session-002488cd, tun_id=0.0.0.0"
id=65308 trace_id=95 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-89.218.165.138 via 2HQ"
id=65308 trace_id=95 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=32, len=1"
id=65308 trace_id=95 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=96 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.150:1->192.168.50.99:2048) tun_id=0.0.0.0 from Tengizlan. type
=8, code=0, id=1, seq=100."
id=65308 trace_id=96 func=init_ip_session_common line=6009 msg="allocate a new session-00248927, tun_id=0.0.0.0"
id=65308 trace_id=96 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-89.218.165.138 via 2HQ"
id=65308 trace_id=96 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=32, len=1"
id=65308 trace_id=96 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=97 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.150:1->192.168.50.99:2048) tun_id=0.0.0.0 from Tengizlan. type
=8, code=0, id=1, seq=101."
id=65308 trace_id=97 func=init_ip_session_common line=6009 msg="allocate a new session-002489a1, tun_id=0.0.0.0"
id=65308 trace_id=97 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-89.218.165.138 via 2HQ"
id=65308 trace_id=97 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=32, len=1"
id=65308 trace_id=97 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=98 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.150:1->192.168.50.99:2048) tun_id=0.0.0.0 from Tengizlan. type
=8, code=0, id=1, seq=102."
id=65308 trace_id=98 func=init_ip_session_common line=6009 msg="allocate a new session-00248a1a, tun_id=0.0.0.0"
id=65308 trace_id=98 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-89.218.165.138 via 2HQ"
id=65308 trace_id=98 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=32, len=1"
id=65308 trace_id=98 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
Hello,
I would recommend to check whether IPsec phase2 subnets are configured correctly and whether firewall policies are configured on both sides.
You may consider to sniff the traffic and collect debug flow in order to isolate the issue while the issue is reproduced:
Sniffer:
diagnose sniffer packet any 'host <destination IP address>' 4 0 a
Debug flow:
diagnose debug flow filter daddr <destination IP address>
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable
this is extract from my HQs fortigate, tried to perform same commands on brancha fortigate it gives me nothing
uzkfghq # diagnose sniffer packet any host 192.168.1.150 4 0 a
interfaces=[any]
filters=[host]
pcap_snapshot: snaplen raised from 0 to 262144
pcap_compile: can't parse filter expression: syntax error
uzkfghq # diagnose debug flow filter daddr 192.168.1.150
uzkfghq # diagnose debug flow show function-name enable
show function name
uzkfghq # diagnose debug flow trace start 100
uzkfghq # diagnose debug enable
uzkfghq # id=65308 trace_id=12 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.197:49572->192.168.1.150:3389) tun_id=0.0.0.0 from
internal. flag [.], seq 2231500958, ack 1035991134, win 511"
id=65308 trace_id=12 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0877472b, original direction"
id=65308 trace_id=12 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=12 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface 2Tengiz-HQ, tun_id=0.0.0.0"
id=65308 trace_id=12 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel 2Tengiz-HQ vrf 0"
id=65308 trace_id=12 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=12 func=ipsec_output_finish line=629 msg="send to 89.218.165.137 via intf-wan1"
id=65308 trace_id=13 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=17, 192.168.50.197:63315->192.168.1.150:3389) tun_id=0.0.0.0 from internal.
"
id=65308 trace_id=13 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-08774731, original direction"
id=65308 trace_id=13 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=13 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface 2Tengiz-HQ, tun_id=0.0.0.0"
id=65308 trace_id=13 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel 2Tengiz-HQ vrf 0"
id=65308 trace_id=13 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=13 func=ipsec_output_finish line=629 msg="send to 89.218.165.137 via intf-wan1"
id=65308 trace_id=14 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.197:49572->192.168.1.150:3389) tun_id=0.0.0.0 from internal.
flag [.], seq 2231500958, ack 1035991235, win 511"
id=65308 trace_id=14 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0877472b, original direction"
id=65308 trace_id=14 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=14 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface 2Tengiz-HQ, tun_id=0.0.0.0"
id=65308 trace_id=14 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel 2Tengiz-HQ vrf 0"
id=65308 trace_id=14 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=14 func=ipsec_output_finish line=629 msg="send to 89.218.165.137 via intf-wan1"
id=65308 trace_id=15 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.197:49572->192.168.1.150:3389) tun_id=0.0.0.0 from internal.
flag [.], seq 2231500958, ack 1035991336, win 510"
finally i need to open port 80, 443 from remote fortigate.
Hello,
There is a typo in the sniffer. Correct syntax: "diagnose sniffer packet any 'host 192.168.1.150' 4 0 a"
As far as I understand the issue is resolved. If it is correct, please tag the thread as resolved.
ok see below
uzkfghq # diagnose sniffer packet any 'host 192.168.1.150' 4 0 a
interfaces=[any]
filters=[host 192.168.1.150]
2024-06-19 07:50:40.786918 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:42.802375 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:44.802757 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:46.806683 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:48.827926 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:50.828242 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:52.828429 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:54.828418 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:56.828813 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:58.829033 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:51:00.829253 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: rst 1518787425 ack 2164524931
no still unable to reach host from remote FG to HQ FG.
same command tried from remote FG
tengizfg # interfaces=[any]
Unknown action 0
tengizfg # filters=[host 192.168.1.150]
Unknown action 0
tengizfg # 2024-06-19 07:50:40.786918 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:42.802375 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:44.802757 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:46.806683 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:48.827926 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:50.828242 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:52.828429 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:54.828418 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:56.828813 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:58.829033 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:51:00.829253 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: rst 1518787425 ack 2164524931
Hello,
I can see that the packet is received "Tengiz-HQ in", however packet is not forwarded. I would recommend to check debug flow output using port 445 as a filter.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.