VPN Ipsec is up but can’t ping

I have a fortigate on v6. I have setup ipsec vpn. It’s connected to a sophos xg firewall.

The vpn is showing up. I can’t ping. I have on both firewalls the policy enabled for vpn to lan and lan to vpn.

I have static route added on fortigate.

I see incoming log but outgoing log is 0.

I hope someone can help me.

Well I have the phase 2 configured correctly. Sophos support had a remote look and said it’s all good. The issue lies with the fortigate firewall. You know how it goes, one vendor points to the other vendor.

Hope someone can tell me how to check if it’s really about phase2.

Hi ,
 
Ok, kindly share fortigate Vpn configuration as well as sophos vpn parameter , let see what went wrong .
 
Regds,
 
Ashik

Here you go:

config vpn ipsec phase1-interface
edit "VPN"
set interface "wan1"
set peertype any
set proposal aes128-sha256
set dhgrp 14
set nattraversal disable
set remote-gw 217.100.11.164
set psksecret ENC 09KfjeK/J3wwarSADlgYszJKZzY5yMlmE9HhBqmp8i1xtFvIMI2gqbgfncSGzlSU93mAxrYY6X280QIaylrKcJOuPhyFJQasTtCi7+fa7KMH07C2vOhrAZj/R3CeDBoSEISYqzO53h2R0S/s8624WqAkF/bhDyKrjc0EUkuvlpTWrWfPwjhT6KyItsSJO9h4WxL40w==


config vpn ipsec phase2-interface
set phase1name "VPN"
set proposal aes128-sha256
set dhgrp 14
set src-subnet 10.24.5.0 255.255.255.0
set dst-subnet 192.168.104.0 255.255.255.0

config firewall policy
edit 37
set name "ipsec to local"
set uuid d5f533ee-ad5c-51e8-902e-c8570788bc6f
set srcintf "VPN"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set status enable
set schedule "always"
set service "ALL"
next
edit 38
set name "local to ipsec"
set uuid 1d570582-ad5d-51e8-ca02-e79f8ef5b6cc
set srcintf "wan1"
set dstintf "VPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set status enable
set schedule "always"
set service "ALL"


config router static
edit 1
set gateway 176.74.240.62
set device "wan1"
next
edit 3
set dst 192.168.3.0 255.255.255.0
set device "p1-fw-var"
next
edit 4
set dst 192.168.2.0 255.255.255.0
set device "p1-fw-var"
next
edit 5
set dst 192.168.0.0 255.255.252.0
set device "OUT"
next
edit 6
set gateway 176.74.234.54
set distance 20
set priority 1
set device "wan1"
next
edit 8
set dst 192.168.104.0 255.255.255.0
set device "VPN"
next

Hi 
 
I checked your conf ...VPN conf looks fine but Policy is incorrect .Instead of LAN interface policy shows "Wan1" which is your VPN gateway interface .
 
config firewall policy
edit 37
set name "ipsec to local"
set uuid d5f533ee-ad5c-51e8-902e-c8570788bc6f
set srcintf "VPN"
set dstintf "wan1"  (This interface should be LAN Interface where your local subnet is )
set srcaddr "all"
set dstaddr "all"
set action accept
set status enable
set schedule "always"
set service "ALL"
next
edit 38
set name "local to ipsec"
set uuid 1d570582-ad5d-51e8-ca02-e79f8ef5b6cc
set srcintf "wan1" (This interface should be LAN Interface where your local subnet is )
set dstintf "VPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set status enable
set schedule "always"
set service "ALL"

Hi,
 
By default you can't ping from fortigate to VPN site LAN.To ping from fortigate you should do source ping ..like eg
 
#exe Ping-option source {your LAN interface IP}
#exe Ping {destination VPN LAN IP}
 
Now you should be able to ping 
 
Regds,
 
Ashik,NSE8

Behind LAN interface systems can ping other side if your conf is fine.But from fortigate you should do source ping which i posted earlier .
 
Regds,
 
Ashik

Hi,
 
Get me your LAN interface IP or Conf and also let me know Which IP u want to ping .
 
I can give you exact cmd..
 
Regds,
Ashik

@Ashik helped me through a remote session. Changed a policy and now I can ping from FG LAN to Sophos LAN.
 
All working and thanks to @Ashik!

Opss! I test close webUI after i open webUi i tested FG-Brand ping to client's HQ can not ping. How can make ping all time (send log)