Hello all, Please note that this is the first time I'm working on
Fortinet equipment so my questions might be noob-ish, but here goes. I'm
trying to set up a simple site-to-site route-based IKEv2 IPsec tunnel
between a vSRX and a Fortigate. See attac...
emnoc wrote: msg="iprope_in_check() check failed on policy 1, drop"
that's due to icmp and no revelant proto=1,
192.168.10.1:46084->2.2.2.2:2048 Ken Felix FortiGate-VM64-KVM # show
firewall policyconfig firewall policy edit 1 set name "test" set uuid...
toshiesumi wrote:I think the problem is still on the SRX side since
pinging 1.1.1.1 from FGT side goes in the tunnel (because you configured
"remote-ip" properly on the tu1 interface. You should see the /32 route
into the tu1 if you do "get router in...
emnoc wrote:I remember SRX didn't let PCAP run on a tunnel interface in
the past. It might have changed by now though.Yes you can paacket
capture in fact he should do that on both sides of the tunnel. Also I
would use a common subnet in the FortiOS<>...
The packets are being sent by the SRX. However, they are being denied on
the Fortinet. Which is strange, considering I already made an allow-all
policy. FortiGate-VM64-KVM # id=20085 trace_id=17 func=print_pkt_detail
line=5363 msg="vd-root received a...
Also, as I've said, the FGT can ping 1.1.1.1 (the SRX st0.0 ip address)
and its 2.2.2.2 tu1 interface address. The SRX cannot reach the 2.2.2.2
even though it has a route to it. FortiGate-VM64-KVM # execute ping
1.1.1.1PING 1.1.1.1 (1.1.1.1): 56 data...
