Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DavidC
New Contributor

VPN Ipsec tunnel site-to-site is up but can't ping HQ to branch hosts

Hello,

I would like to have some help, i have set up a IPsec Tunnel VPN Site-to-Site between 2 Fortigate. It's working well HQ and Branch are connected.

Tunnel is up 24/7, i can ping Branch's Lan to HQ's Lan without problems(Pcs, FG, Routers, wireless point,etc.) and HQ's Lan to Branch's Lan(FG, Routers, wireless point, printers etc ok but no PC's)

RDP only works in one side, from the branch's site.

HQ's LAN 10.0.78.0/24 Brand's LAN 10.0.150.0/24  

 

I did a full check-up about firewall, policies, local and remote address and static routes.

 

Thanks.

6 REPLIES 6
viplo
New Contributor

Hi there,

 

On which version are you?

Did you add an IP to both VPN interface?

 

Cheers

DavidC
New Contributor

Hello,

 

Yes i added an IP to both VPN interface as remote gateway (the public ip address of the HQ FortiGate and Branch FortiGate).

I used this guide : https://cookbook.fortinet.com/site-to-site-ipsec-vpn-with-two-fortigates-60/

 

HQ's firmware : v5.6.6 build 1630

Branch's firmware : v5.6.3 build 1547

ede_pfau
Esteemed Contributor III

@viplo: the tunnel interfaces do not need any IP addresses ('unnumbered' will do).

 

Are you SURE the PCs will allow ping requests? Think of Windows Firewall or any other protection software.

If traffic (like RDP) is only allowed from one side, do you have a policy in place for that direction?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
DavidC

@ede_pfau Thanks you!! It was problem with Windows Defender, i added an rule to allow ICMP's ping and now it's working well i can ping with cmd and use RDP from HQ's PCs to Branch's PCs.

 

 

ede_pfau
Esteemed Contributor III


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
viplo
New Contributor

Hi all,

 

@ede_pfau, I tryed to understand the situation, I didn't suggest to add IP or anything else ;)

I also had also kind of same issue, but it was because of Direct Access, found 2 hours ago.

 

Cool for you DavidC.

Cheers,

Viplo

 

Labels
Top Kudoed Authors