forti 60D-vpn tunnel up but can't ping the remote site through the cli

sheila · ‎04-18-2019

Hi All

I have an forti60D, and do the IPsec vpn with other brand firewall.

The VPN status show in forti monitor page is up.

And the client under forti can ping remote site LAN.

But I find something strange,I can't ping remote site through the forti cli.

I don't know where I have wrong config about the IPsec VPN.

thank you

Sheila

Toshi_Esumi · ‎04-18-2019

A couple of thing to verify:

1. Do you have an IP on the phase1-interface (config sys int)? Pinging from the FGT through the tunnel picks up that IP as the source.

2. Did you include from the interface IP <-> destination you're pinging to in the phase2 selectors on both sides? If you're using the default 0/0<->0/0, that should be fine.

3. Does the destination have a route back to your source IP (the interface IP in No.1) toward the tunnel on the other end? Otherwise return packets would follow the default route on the remote side.

In other words, nothing is strange.

rwpatterson · ‎04-19-2019

Also using PING options, select the source IP interface.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

sheila · ‎04-24-2019

Hi All

Thank you for your help.

I solved my issue with I have to bring source IP to do ping.

Sheila