Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mateusz28
New Contributor

Created on ‎11-17-2023 05:32 AM

IP sec connection between Teltonika RUT 955 and Fortigate 40F

Hi,

I have problem with connection two routers with using Ipsec Tunel. 

 

In one side  (behind Teltonika router) I have Local Area Network with IP 10.1.0.0/24. (Network A)

Behind Fortigate i Have LAN with IP 10.1.1.0/24. (Network B). (Fortigate LAN IPv4 adress 10.1.1.1

 

My tunel is rising up, but i don't have access from Network A to Network B and other way

 

Configuration IPSec tunel in Teltonika:

telto.png

 Configuration IPSec tunel in Fortigate:

for1.pngforti2.png

 

Both routers have a fixed IPv4 address  (WAN address). My purpose is have full access  from one computer in network B to all network A and vice versa.

 

Labels:
532
0 Kudos
4 REPLIES 4
hbac
Staff
Staff

Created on ‎11-17-2023 05:55 AM

Hi @Mateusz28,

 

Do you have firewall policies to allow the traffic? You can run debug flow to see if the traffic is being dropped by following this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Regards, 

521
0 Kudos
Mateusz28
New Contributor
In response to hbac

Created on ‎11-17-2023 06:00 AM

 yes, I've allowed every traffic with every protocol between devices

519
0 Kudos
mle2802
Staff
Staff

Created on ‎11-17-2023 06:08 AM

Can you run the following command when reach network B from A with ping protocol to see if traffic is allowed and route correctly on FortiGate:

diag debug reset
diag debug flow filter addr X.X.X.X (computer IP where you ping from)
diag debug flow filter proto 1
diag debug flow show ip en
diag debug flow show func en
diag debug console time ena
diag debug ena
diag debug flow trace start 999

Regards,
Minh

509
0 Kudos
ezhupa
Staff
Staff

Created on ‎11-17-2023 07:29 AM

Hello Mateusz28, 

 

Make sure the Local-GW IP you have configured on the IPSEC configuration is also present in the WAN1 either as a primary IP or secondary IP

If the tunnel is already up , both phase1 and phase2 traffic should be flowing. 
Are you generating traffic from a host in network 10.1.1.X/24 towards 10.1.0.X/24? 
In that case what you would need to check is: 
1) Routing - is there any static route configured? 
get router info routing-table details x.x.x.x   <-- x.x.x.x is the destination you are trying to ping. 
2) Firewall Policy - are there FW policies configured to allow this traffic? 
You would need 2 policies, one LAN -> IPSEC, the other IPSEC -> LAN for the return traffic.
Double-check the configuration just in case, sometimes there is a small thing that has caused the issue. 
If all of the above is checked and configured correctly try setting NAT-T to forced on the FGT side just in case maybe some traffic is being dropped by ISP. 
Hope this helps.

495
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.