Hot!Route Base VPN problem

Page: 12 > Showing page 1 of 2
Author
sigmasoftcz
Bronze Member
  • Total Posts : 42
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
2017/09/03 09:18:41 (permalink)
0

Route Base VPN problem

Hello,
I'm trying to set site 2 site IPsec VPN site between 60E and 100D to route all traffic from a specific 60E port to IPsec tunnel (remote browsing). I used a route-based VPN. The minor problem was with the default router, but it was possible to resolve it by setting priorities.
The central unit is 100D in the A/P cluster. Behind it is Win2008 (AD, DNS, DHCP) and using DHCP relay at 60E
allocates addresses to clients via IPsec tunnel. It all works.

However, the customer's requirement is also the use of two additional ports on the 60E which must go through the WAN interface directly (with NAT) to the Internet (outside the IPsec tunnel).
I set the interface, IP ranges, DHCP, DNS, Policy ... Unfortunately, the internet from these networks was inaccessible. I was looking for why and the problem is lower priority (2) default routing for IPsec tunnel - 0.0.0.0/0->TUNNEL  than default route 0.0.0.0/0->DEFAULT GW (4).
So I tried to use Policy Routing to define that these two networks should route traffic directly to WAN. Unfortunately, this is not the case. Unfortunately, it does not work
So I set up a Policy Base VPN between 60E and 100D. Now all networks are working, but traffic generated at 60E (ping, connect to FAZ, etc.) all goes through this IPsec tunnel, which is undesirable.

How to best solve this scenario? Ideally using a route-based VPN?

Thank you.
#1
alago
New Member
  • Total Posts : 20
  • Scores: 5
  • Reward points: 0
  • Joined: 2017/06/04 11:45:32
  • Status: offline
Re: Route Base VPN problem 2017/09/03 13:59:46 (permalink)
0
Hi,
 
You could do the opposite. Create a route 0.0.0.0/0->DEFAULT GW (4) and then create a policy route to match only the traffic you want to go trought the VPN, e.g.
 
172.16.0.0/24 -> TUNNEL
172.160.1.0/24 -> TUNNEL
 
You shouldnt have any problems with route based vpn, in fact they usually have better usage then policy based vpns.
 
Hope it helps.
 
 
#2
sigmasoftcz
Bronze Member
  • Total Posts : 42
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: Route Base VPN problem 2017/09/03 23:08:05 (permalink)
0
Hi,
problem is, that I need all traffic through the tunnel from specific subnet/interfaces. Not only some subnet. And if I create two default routes 0.0.0.0/0 (one with priority 2 to the tunnel and one with priority 4 to the wan gw), traffic from interface, which I won't routed to tunnel is routed to tunnel :-/
#3
oheigl
Gold Member
  • Total Posts : 229
  • Scores: 6
  • Reward points: 0
  • Joined: 2010/02/18 04:27:05
  • Location: Austria
  • Status: offline
Re: Route Base VPN problem 2017/09/04 00:31:28 (permalink)
0
Yeah but that's exactly what he meant, configure the WAN gateway route with lower priority than the one into the VPN tunnel (lower priority means actually that it's preferred to the higher priority value). After that, create a policy route with source and destination 0.0.0.0 pointing to the VPN tunnel, and set the source interface to the specific interface which should go through the VPN. This should work just fine :)
#4
sigmasoftcz
Bronze Member
  • Total Posts : 42
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: Route Base VPN problem 2017/09/04 01:20:54 (permalink)
0
Oheigl thanks, 

I set it according to your instructions. Everything works, but I can´t go anywhere to the internet from 60E. Only to default gateway. Ping does not work anywhere to the internet, I will not be able to join FAZ or FMG. If I set static routes to individual destinations (FAZ, FMG), everything works. Is it feature or wrong setting?

Thanks
Jirka







 
config system interface
    edit "wan1"
        set vdom "root"
        set ip 62.xxx.xxx.xxx 255.255.255.192
        set allowaccess ping https ssh snmp
        set type physical
        set alias "WAN"
        set role wan
        set snmp-index 1
next
edit "internal2"
        set vdom "root"
        set dhcp-relay-service enable
        set ip 172.17.14.1 255.255.255.0
        set allowaccess ping https ssh http
        set type physical
        set alias "CUST LAN"
        set device-identification enable
        set role lan
        set snmp-index 9
        set dhcp-relay-ip "172.16.10.2"
 next
 edit "XDC"
        set vdom "root"
        set ip 10.10.20.1 255.255.255.0
        set allowaccess ping
        set role lan
        set snmp-index 5
        set interface "internal2"
        set vlanid 1000
 next
 edit "UniFi"
        set vdom "root"
        set ip 10.33.1.1 255.255.255.0
        set allowaccess ping
        set role lan
        set snmp-index 15
        set interface "internal2"
        set vlanid 1001
next
config router static
    edit 3
        set gateway 62.xxx.xxx.xxx
        set priority 2
        set device "wan1"
    next
    edit 2
        set priority 1
        set device "IPsec->HQ"
    next
end
config router policy
    edit 1
        set input-device "internal2"
        set srcaddr "all"
        set dstaddr "all"
        set output-device "IPsec->HQ"
    next
    edit 2
        set input-device "XDC"
        set srcaddr "XDC"
        set dstaddr "all"
        set gateway 62.xxx.xxx.xxx
        set output-device "wan1"
    next
    edit 3
        set input-device "UniFi"
        set srcaddr "UniFiGuest"
        set dstaddr "all"
        set gateway 62.xxx.xxx.xxx
        set output-device "wan1"
    next
end
config firewall policy
    edit 4
        set uuid 16b6d6f2-90a9-51e7-50d6-28c75b7038db
        set srcintf "UniFi"
        set dstintf "wan1"
        set srcaddr "UniFiGuest"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
    edit 5
        set uuid 328c1e1e-90a9-51e7-a976-255cf2cc7aae
        set srcintf "XDC"
        set dstintf "wan1"
        set srcaddr "XDC"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
    edit 3
        set uuid 4bf13740-9144-51e7-86ff-1d4e03ca6ca3
        set srcintf "internal2"
        set dstintf "IPsec->HQ"
        set srcaddr "CUST LAN"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 6
        set uuid 56347e10-9144-51e7-ffac-a6f54c96de19
        set srcintf "IPsec->HQ"
        set dstintf "internal2"
        set srcaddr "all"
        set dstaddr "CUST LAN"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
#5
oheigl
Gold Member
  • Total Posts : 229
  • Scores: 6
  • Reward points: 0
  • Joined: 2010/02/18 04:27:05
  • Location: Austria
  • Status: offline
Re: Route Base VPN problem 2017/09/04 01:37:38 (permalink)
0
Well your priority in the second route is still lower than the one via WAN1 (or did you change it back because it didn't work?)
What you mean by can't go anywhere to the internet - Do you mean traffic that originates from the FortiGate or isn't it working for the XDC clients neither?
In my point of view if you change the priority on the wan1 interface to 0 it should work!
#6
sigmasoftcz
Bronze Member
  • Total Posts : 42
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: Route Base VPN problem 2017/09/04 01:49:07 (permalink)
0
Yes,
if I set default WAN route to a lower priority (1) than the default tunnel route (2), it does not work. The other two networks (UniFi and XDC) are working and as well as the traffic coming from FortiGate, but the IPsec tunnel is not...the client does not obtainan IP address from DHCP, and if I set static, it does not work.
#7
oheigl
Gold Member
  • Total Posts : 229
  • Scores: 6
  • Reward points: 0
  • Joined: 2010/02/18 04:27:05
  • Location: Austria
  • Status: offline
Re: Route Base VPN problem 2017/09/04 01:57:00 (permalink)
0
Wait you are receiving the DHCP via the VPN tunnel for the internal2 clients? Can you start a sniffer for this kind of traffic in the situation where it is not working?
diag sniffer packet any 'net 172' 4 0 a

If you want to debug only DHCP you can filter it further:
diag sniffer packet any 'net 172 and (port 67 or port 68)' 4 0 a

I'm not sure how much and what type of traffic is going through your device.
#8
sigmasoftcz
Bronze Member
  • Total Posts : 42
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: Route Base VPN problem 2017/09/04 02:12:57 (permalink)
0
Ok,
I made test with priority of route.

The first sniff is the lower priority (1) WAN route. No response from DHCP server behind of tunnel. 
 
FGT60-IGY # diag sniffer packet any 'net 172 and (port 67 or port 68)' 4 0 a
 
interfaces=[any]
filters=[net 172 and (port 67 or port 68)]
2017-09-04 09:05:44.702483 wan1 out 172.17.14.1.67 -> 172.16.10.2.67: udp 301
2017-09-04 09:05:48.949704 wan1 out 172.17.14.1.67 -> 172.16.10.2.67: udp 301
2017-09-04 09:05:56.833940 wan1 out 172.17.14.1.67 -> 172.16.10.2.67: udp 301
^C
4 packets received by filter
0 packets dropped by kernel

 
The second snif is the higher (2) priority WAN route. This is correct behavior and client got an IP address. 
 
FGT60-IGY # diag sniffer packet any 'net 172 and (port 67 or port 68)' 4 0 a
 
interfaces=[any]
filters=[net 172 and (port 67 or port 68)]
2017-09-04 09:07:41.726772 IPsec-HQ out 172.17.14.1.67 -> 172.16.10.2.67: udp 335
2017-09-04 09:07:41.736961 IPsec-HQ in 172.16.10.2.67 -> 172.17.14.1.67: udp 309
2017-09-04 09:07:41.737180 internal2 out 172.17.14.1.67 -> 172.17.14.22.68: udp 309

post edited by sigmasoftcz - 2017/09/04 02:16:22
#9
oheigl
Gold Member
  • Total Posts : 229
  • Scores: 6
  • Reward points: 0
  • Joined: 2010/02/18 04:27:05
  • Location: Austria
  • Status: offline
Re: Route Base VPN problem 2017/09/04 02:30:49 (permalink)
0
Hm okay, that's annoying - it's not working because the relay is like self originating traffic from the FGT, so the policy route is not checked. Just for testing, can you add a route for the DHCP relay server 172.16.10.2 through the VPN?
 
Thanks!
#10
sigmasoftcz
Bronze Member
  • Total Posts : 42
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: Route Base VPN problem 2017/09/04 02:36:07 (permalink)
0
update: If I set both default route to the same priority (1) it seems everything works well.
edit: after reboot FortiGate, the tunnel stil work, but traffic from FGT not again :(
I will test your design with a static routing on a DHCP server and let you know.
 
Anyway, thank you for your help "neighbor":)
post edited by sigmasoftcz - 2017/09/04 02:43:23
#11
oheigl
Gold Member
  • Total Posts : 229
  • Scores: 6
  • Reward points: 0
  • Joined: 2010/02/18 04:27:05
  • Location: Austria
  • Status: offline
Re: Route Base VPN problem 2017/09/04 03:01:56 (permalink)
0
Ah yeah that should work too, because you have policy routes for your other interfaces too. Otherwise it would ECMP load balance your connections, just stick with what you feel most comfortable with.
 
No problem neighbor :) 
#12
alago
New Member
  • Total Posts : 20
  • Scores: 5
  • Reward points: 0
  • Joined: 2017/06/04 11:45:32
  • Status: offline
Re: Route Base VPN problem 2017/09/04 05:29:54 (permalink)
0
Hi,
 
Correct me if im wrong, You have:
WAN1 interface responsible for the internet traffic.
Internal2 is your LAN
XDC is a VLAN tied to Internal2
UniFi is a VLAN tied to Interna2
 
You want to route only internal2 trought the VPN (IPsec->HQ) right?
 
Same distance means that both WAN1 and IPSec Route will be active at the same time.
Lower priority to WAN1 means that the traffic will routed trought it while the WAN1 link is active
config router static
    edit 3
        set gateway 62.xxx.xxx.xxx
        set distance 10
        set priority 1 #Change it to a lower priority than the IPsec Tunnel.
        set device "wan1"
    next
    edit 2
        set distance 10
        set priority 2 #Change it to a higher priority
        set device "IPsec->HQ"
    next
end
 
Now, about your policy routes you just need to create one from internal2 to IPsec->HQ, all the other interfaces will assume the lower priority static route.
config router policy
    edit 1
        set input-device "internal2"
        set srcaddr "all"
        set dstaddr "all"
        set output-device "IPsec->HQ"
    next
end
 
Try this and give us a feedback please, if it doesnt work post the results for the following commands:
 
show full-configuration system interface wan1
show full-configuration system interface IPsec->HQ
get router info routing-table database
 
Hope it helps
 
 
#13
sigmasoftcz
Bronze Member
  • Total Posts : 42
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: Route Base VPN problem 2017/09/04 05:53:21 (permalink)
0
Hi alago,
 
thanks for you feedback.
I tried your cfg with this result:
1) IPsec tunnel is functional
2) other networks (UniFi, XDC) do not work - they do not pass through FGT
 
cfg:
 
config system interface
    edit "wan1"
        set vdom "root"
        set fortilink disable
        set mode static
        set dhcp-relay-service disable
        set ip 62.xxx.xxx.xxx 255.255.255.192
        set allowaccess ping https ssh snmp
        set fail-detect disable
        set pptp-client disable
        set arpforward enable
        set broadcast-forward disable
        set bfd global
        set l2forward disable
        set icmp-redirect enable
        set vlanforward disable
        set stpforward disable
        set ips-sniffer-mode disable
        set ident-accept disable
        set ipmac disable
        set subst disable
        set substitute-dst-mac 00:00:00:00:00:00
        set status up
        set netbios-forward disable
        set wins-ip 0.0.0.0
        set type physical
        set netflow-sampler disable
        set sflow-sampler disable
        set scan-botnet-connections disable
        set src-check enable
        set sample-rate 2000
        set polling-interval 20
        set sample-direction both
        set explicit-web-proxy disable
        set explicit-ftp-proxy disable
        set proxy-captive-portal disable
        set tcp-mss 0
        set inbandwidth 0
        set outbandwidth 0
        set spillover-threshold 0
        set ingress-spillover-threshold 0
        set weight 0
        set external disable
        set description ''
        set alias "WAN"
        set l2tp-client disable
        set security-mode none
        set device-identification disable
        set lldp-transmission vdom
        set fortiheartbeat disable
        set estimated-upstream-bandwidth 0
        set estimated-downstream-bandwidth 0
        set vrrp-virtual-mac disable
        set role wan
        set snmp-index 1
        set secondary-IP disable
        set preserve-session-route disable
        set auto-auth-extension-device disable
        set ap-discover enable
        config ipv6
            set ip6-mode static
            set nd-mode basic
            unset ip6-allowaccess
            set ip6-reachable-time 0
            set ip6-retrans-time 0
            set ip6-hop-limit 0
            set dhcp6-prefix-delegation disable
            set dhcp6-information-request disable
            set ip6-address ::/0
            set ip6-send-adv disable
            set autoconf disable
            set dhcp6-relay-service disable
        end
        set speed auto
        set mtu-override disable
        set wccp disable
        set drop-overlapped-fragment disable
        set drop-fragment disable
    next
end
config system interface
    edit "IPsec->HQ"
        set vdom "root"
        set distance 5
        set dhcp-relay-service disable
        set ip 0.0.0.0 0.0.0.0
        unset allowaccess
        set arpforward enable
        set broadcast-forward disable
        set bfd global
        set icmp-redirect enable
        set ips-sniffer-mode disable
        set ident-accept disable
        set ipmac disable
        set status up
        set netbios-forward disable
        set wins-ip 0.0.0.0
        set type tunnel
        set netflow-sampler disable
        set sflow-sampler disable
        set scan-botnet-connections disable
        set src-check enable
        set sample-rate 2000
        set polling-interval 20
        set sample-direction both
        set explicit-web-proxy disable
        set explicit-ftp-proxy disable
        set proxy-captive-portal disable
        set tcp-mss 0
        set inbandwidth 0
        set outbandwidth 0
        set spillover-threshold 0
        set ingress-spillover-threshold 0
        set weight 0
        set external disable
        set remote-ip 0.0.0.0
        set description ''
        set alias ''
        set l2tp-client disable
        set security-mode none
        set fortiheartbeat disable
        set estimated-upstream-bandwidth 0
        set estimated-downstream-bandwidth 0
        set role undefined
        set snmp-index 4
        set preserve-session-route disable
        set auto-auth-extension-device disable
        set ap-discover enable
        config ipv6
            set ip6-mode static
            set nd-mode basic
            unset ip6-allowaccess
            set ip6-reachable-time 0
            set ip6-retrans-time 0
            set ip6-hop-limit 0
            set dhcp6-prefix-delegation disable
            set dhcp6-information-request disable
            set ip6-address ::/0
            set ip6-send-adv disable
            set autoconf disable
            set dhcp6-relay-service disable
        end
        set wccp disable
        set interface "wan1"
    next
end
odes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       > - selected route, * - FIB route, p - stale info

S *> 0.0.0.0/0 [10/0] is directly connected, IPsec->HQ, [2/0]
     *> [10/0] via 62.xxx.xxx.xxx, wan1, [4/0]
C *> 10.33.1.0/24 is directly connected, UniFi
C *> 62.xxx.xxx.xxx/26 is directly connected, wan1
C *> 100.10.20.0/24 is directly connected, XDC
C *> 172.17.14.0/24 is directly connected, internal2
C *> 172.20.0.0/16 is directly connected, XDC-VPN
C *> 192.168.1.0/24 is directly connected, internal

#14
alago
New Member
  • Total Posts : 20
  • Scores: 5
  • Reward points: 0
  • Joined: 2017/06/04 11:45:32
  • Status: offline
Re: Route Base VPN problem 2017/09/04 06:13:36 (permalink)
0
Hi,
 
Please run show full-configuration router static and post the result.
 
 
 
 
#15
sigmasoftcz
Bronze Member
  • Total Posts : 42
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: Route Base VPN problem 2017/09/04 06:17:52 (permalink)
0
config router static
    edit 3
        set status enable
        set dst 0.0.0.0 0.0.0.0
        set gateway 62.xxx.xxx.xxx
        set distance 10
        set weight 0
        set priority 4
        set device "wan1"
        set comment ''
        set blackhole disable
        set dynamic-gateway disable
        set virtual-wan-link disable
        set dstaddr ''
        unset internet-service
        set internet-service-custom ''
        set link-monitor-exempt disable
    next
    edit 2
        set status enable
        set dst 0.0.0.0 0.0.0.0
        set distance 10
        set weight 0
        set priority 2
        set device "IPsec->HQ"
        set comment ''
        set blackhole disable
        set dynamic-gateway disable
        set virtual-wan-link disable
        set dstaddr ''
        unset internet-service
        set internet-service-custom ''
        set link-monitor-exempt disable
    next
end

#16
alago
New Member
  • Total Posts : 20
  • Scores: 5
  • Reward points: 0
  • Joined: 2017/06/04 11:45:32
  • Status: offline
Re: Route Base VPN problem 2017/09/04 06:40:02 (permalink)
0
Hi,
 
As i supected you forgot to change your priority values. Please change the priority value from WAN1 route to 10 and from IPsec route to 20.
 
config router static
edit 3
set status enable
set dst 0.0.0.0 0.0.0.0
set gateway 62.xxx.xxx.xxx
set distance 10
set weight 0
set priority 2
set device "wan1"
set comment ''
set blackhole disable
set dynamic-gateway disable
set virtual-wan-link disable
set dstaddr ''
unset internet-service
set internet-service-custom ''
set link-monitor-exempt disable
next
edit 2
set status enable
set dst 0.0.0.0 0.0.0.0
set distance 10
set weight 0
set priority 4
set device "IPsec->HQ"
set comment ''
set blackhole disable
set dynamic-gateway disable
set virtual-wan-link disable
set dstaddr ''
unset internet-service
set internet-service-custom ''
set link-monitor-exempt disable
next
 
 
 
#17
oheigl
Gold Member
  • Total Posts : 229
  • Scores: 6
  • Reward points: 0
  • Joined: 2010/02/18 04:27:05
  • Location: Austria
  • Status: offline
Re: Route Base VPN problem 2017/09/04 06:47:06 (permalink)
0
That's the exact same thing I told him in my initial post 
#18
sigmasoftcz
Bronze Member
  • Total Posts : 42
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
Re: Route Base VPN problem 2017/09/04 07:11:16 (permalink)
0
Guys, but I tried this!  
 
Now I changed the prio:
config router static
edit 3
set status enable
set dst 0.0.0.0 0.0.0.0
set gateway 62.xxx.xxx.xxx
set distance 10
set weight 0
set priority 10
set device "wan1"
set comment ''
set blackhole disable
set dynamic-gateway disable
set virtual-wan-link disable
set dstaddr ''
unset internet-service
set internet-service-custom ''
set link-monitor-exempt disable
next
edit 2
set status enable
set dst 0.0.0.0 0.0.0.0
set distance 10
set weight 0
set priority 20
set device "IPsec->HQ"
set comment ''
set blackhole disable
set dynamic-gateway disable
set virtual-wan-link disable
set dstaddr ''
unset internet-service
set internet-service-custom ''
set link-monitor-exempt disable
next
end
 
config router policy
edit 1
set input-device "internal2"
set srcaddr "all"
set src-negate disable
set dstaddr "all"
set dst-negate disable
set action permit
set protocol 0
set gateway 0.0.0.0
set output-device "IPsec->HQ"
set tos 0x00
set tos-mask 0x00
set status enable
set comments ''
next
end

S *> 0.0.0.0/0 [10/0] via 62.xxx.xxx.xxx, wan1, [10/0]
*> [10/0] is directly connected, IPsec->HQ, [20/0]
C *> 10.33.1.0/24 is directly connected, UniFi
C *> 62.xxx.xxx.xxx/26 is directly connected, wan1
C *> 100.10.20.0/24 is directly connected, XDC
C *> 172.17.14.0/24 is directly connected, internal2
C *> 172.20.0.0/16 is directly connected, XDC-VPN
C *> 192.168.1.0/24 is directly connected, internal
 
config firewall policy
edit 4
set uuid 16b6d6f2-90a9-51e7-50d6-28c75b7038db
set srcintf "UniFi"
set dstintf "wan1"
set srcaddr "UniFiGuest"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 5
set uuid 328c1e1e-90a9-51e7-a976-255cf2cc7aae
set srcintf "XDC"
set dstintf "wan1"
set srcaddr "XDC"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 3
set uuid 4bf13740-9144-51e7-86ff-1d4e03ca6ca3
set srcintf "internal2"
set dstintf "IPsec->HQ"
set srcaddr "CUST LAN"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 6
set uuid 56347e10-9144-51e7-ffac-a6f54c96de19
set srcintf "IPsec->HQ"
set dstintf "internal2"
set srcaddr "all"
set dstaddr "CUST LAN"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end

 
IPsec tunnel is UP, but other network (XDC, UniFi) are down...
#19
alago
New Member
  • Total Posts : 20
  • Scores: 5
  • Reward points: 0
  • Joined: 2017/06/04 11:45:32
  • Status: offline
Re: Route Base VPN problem 2017/09/04 07:30:03 (permalink)
0
Hm...
 
Lets do some troubleshooting, with that same configuration do the following.
 
Run this on Fortigate:
diag debug enable
diag debug show console enable
diag debug flow filter addr x.x.x.x(e.g 172.20.0.1)
diag debug flow trace start 250
 
ping from x.x.x.x(Change this to the ip you chose above) to 8.8.8.8 and post the results from fortigate CLI here.
 
 
 
 
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2017 APG vNext Commercial Version 5.5