- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate 620B Gateway to Gateway
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 12-13-2011 04:17 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 620B Gateway to Gateway
Hi Guys
We are working at a Remote Branch and are trying to get our site to site vpn up and running. I have used the IPSEC VPN Guide handbook v3 for research/reference.
We have 2* Fortigate 620b and have established the phase 1 and phase 2 the link comes up and turns green and on the face of it all seems well (can see traffic in the counter)but traffic from Site A never reaches Site B even though the traffic log shows it as allowed.
I thought there was a issue with the routes but im getting confused to wheather i should be using a static route if im using Policy Based VPN? Anyway i tried without the route but the problem still persists.
What i have observed.
From Site A cant ping Site B devices
Front Site A cant tracert to Site B devices
I can see the trace going to the internal interface on our Site A LAN however it just seems to time out.
In traffic log it shows as allowed.
From Site B can ping DC at Site A
From Site B can traceroute from Fortigate CLI to DC at Site A (appears as 1hop)
We have our IPSEC policies at sequence 1 in the firewall policy.
Addresses from remote network ranges exist in both Fortigate Units.
Not tried to debug yet but i presume that might be the next step?
Thanks in advance.
Forgot to mention using FortiOS 4 v4.0,build0291,100824 (MR2 Patch 2)
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
and welcome to the forums.
The config you' ve given is too vague to judge upon. From the snippets I deduct:
- why in the world do you use policy mode IPsec VPNs? I can' t see why this would be mandatory in your case, and route/interface based VPN is way easier to understand and configure. PB VPN is considered ' legacy' and FortiOS specific.
- if you don' t even post any one line of your config, like VPN phase1 and phase2, QMs, and the corresponding policies, we can only resort to mind reading. Hmm, no reception today.
- have you read on the VPN examples in the FortiOS Handbook? if you follow these basic examples it should work within minutes. Get it from docs.fortinet.com
Come back with more infos and we' ll do our best.
Aside: I always wonder how one can buy 5-figure equipment and NOT have a trained person set up the initial configuration. If it' s straightforward, it won' t cost much. If it' s complicated you get the job done in a few hours (that is percent of the system' s cost). And you will learn a lot as well.
Sorry, today is my rant-day, must be the weather.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Not applicable
Created on 12-14-2011 12:28 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agreed the weather is poor here also.
Sorry for not posting the config/policies i will try the route based VPN method from the handbook.
Good comment about the expensive firewall and lack of proper knowledge on-site to implement the deployment. I have queried this also. Unfortunately i have no control over the budgets.
Thanks once again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to update you i have now figured out the Route based vpn policy.
Everything is now working and my DC are now back online.
Thanks for the tip about route based vpn being easier.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m glad that you' ve got it running in time. Documentation is really good on the Fortigates, with primarily the FortiOS Handbook and recently, the Cookbook. They try to give working examples of the top-most deployment scenarios to get their customers started easily.
As to the budgets, I know what you mean. One day you get two fat appliances dumped on your table with a remark " you' re IT, so you can run it" . To cut the implementation by the vendor is cheaper but it costs.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your salaried time is already budgeted. They will waste it all year long.....
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Related Posts
- STATIC Public IP /32 51 Views
- Duplicate a working Cisco Router config... 678 Views
- WAN DNS 234 Views
- Internet data not passing from firewall 153 Views
- NO internet connection when using static... 1140 Views
Labels
-
FortiGate
6,608 -
FortiClient
1,318 -
5.2
801 -
5.4
639 -
FortiManager
572 -
FortiAnalyzer
417 -
6.0
416 -
5.6
362 -
FortiSwitch
339 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
248 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
152 -
6.4
128 -
FortiNAC
108 -
FortiGuard
103 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
26 -
SD-WAN
26 -
FortiConnect
24 -
High Availability
22 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiPortal
18 -
FortiAuthenticator
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.