Hi, I trying to have routed traffic through a IPsec VPN but I dont understand how to do it if it is even possible.
Please see the attached network map, I want unit 1 to be able to access unit 6.
-There is a working VPN between unit 4 and 5.
-Units 2, 3, 4 and 5 are all able to ping unit 6.
-Unit 1 is not able to ping unit 6.
-For testing purposes firewall rules in units 2, 4 and 5 allow all traffic from unit 1 to unit 6.
-Unit 4 IPsec phase 2: local 172.24.16.0/22, remote 172.24.32.0/22
-Unit 5 IPsec phase 2: local 172.24.32.0/22, remote 172.24.16.0/22
Any help is much appreciated.
Thanks
unit4 needs a route to 172.24.32.0 or it will drop the traffic.
Check with "diag deb enable", "diag sniffer packet any 'icmp' 4" on unit4 while "ping -t" between the hosts.
Thank you very much for the reply! Both unit 4 and unit 5 have the relevant routes (units 2, 3 and 4 can reach unit 6).
With the debugging command I can see icmp packets coming into unit 4 on the lan interface and going out on the VPN interface. In both cases from 172.24.0.20 to 172.24.32.10
But there is not traffic in unit 5 with the same command.
In unit 5 I have this firewall rule:
-in interface=vpn, out interface=lan, source=all, destination=all, service=all, schedule=always, action=allow
I dont have anny deny rules except the implicit deny rule.
I used the policy lookup button: source interface=vpn, protocol=ping request, source=172.24.0.20 (unit1), destination=172.24.32.10 (unit 6)
The policy lookup says "Failed to perform lookup policy" which is weird.
Is the subnet on unit 1 allowed through every VPN on the way to unit 6? Try NATting the traffic from unit 1 and if that works, there's your answer.
yrani wrote:
-Unit 4 IPsec phase 2: local 172.24.16.0/22, remote 172.24.32.0/22 -Unit 5 IPsec phase 2: local 172.24.32.0/22, remote 172.24.16.0/22
I don't see any phase 2 that covers the 172.24.0.0/x subnet range...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
There is only 1 VPN, between unit 4 and 5.
I am familiar with the concept of NAT but I am not sure how to enable it in FortiOS. Is it as simples as enabling it in the firewall rule?
Is it not possible to achieve what I want without NAT?
It is as simple as enabling it in the policy. All traffic in that policy will have the address of the interface facing the VPN (172.24.16.253) or by using an IP Pool, you can specify another address on that subnet. The other way to achieve this without NAT is to create another phase 2 on that phase 1 with endpoints 172.24.0.0/22 <==> 172.24.32.0/22 as in below:
-Unit 4 IPsec phase 2: local 172.24.0.0/22, remote 172.24.32.0/22 -Unit 5 IPsec phase 2: local 172.24.32.0/22, remote 172.24.0.0/22
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
bad post
Excellent! Extending phase 2 solved the problem. Thank you very much! I had actually tried that earlier but I think I reversed the order of the networks in unit 5.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.