Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
andre_marsaioli
New Contributor

VPN IPSEC SITE TO SITE

Hi everyone,

 

I'am tired, i don't know what else to do...[&o]

i have a ipsec vpn SITE A TO SITE B and SITE B TO SITE A But, only SITE B reach SITE A : *SITE B

FGT30E_ITAOBI # execute ping 192.168.0.8
PING 192.168.0.8 (192.168.0.8): 56 data bytes
64 bytes from 192.168.0.8: icmp_seq=0 ttl=255 time=34.0 ms
64 bytes from 192.168.0.8: icmp_seq=1 ttl=255 time=33.6 ms
64 bytes from 192.168.0.8: icmp_seq=2 ttl=255 time=33.4 ms
64 bytes from 192.168.0.8: icmp_seq=3 ttl=255 time=33.5 ms
64 bytes from 192.168.0.8: icmp_seq=4 ttl=255 time=33.6 ms
 
--- 192.168.0.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 33.4/33.6/34.0 ms
 
FGT30E_ITAOBI # execute traceroute 192.168.0.8
traceroute to 192.168.0.8 (192.168.0.8), 32 hops max, 3 probe packets per hop, 72 byte packets
 1  192.168.0.8  33.841 ms  33.718 ms  33.571 ms

 

SITE A:

FGTCPS60D # execute traceroute 192.168.40.5
traceroute to 192.168.40.5 (192.168.40.5), 32 hops max, 3 probe packets per hop, 72 byte packets
 1  * * *
 2  * * *
 3  * * *
......
32 ***

 

I delete and create again, checked proporsal, key , everything, and site A not even ping site B.

some urls i used for instructions (https://kb.fortinet.com/kb/documentLink.do?externalID=FD34846,http://docshare02.docshare.tips/files/25630/256303685.pdf,https://kb.fortinet.com/kb/documentLink.do?externalID=FD40546,https://www.absoluteuc.org/troubleshooting-fortigate,http://soclevelone.com/index.php/2018/05/20/setting-vpn-ipsec-tunnel-with-fortigate/) Someone take some like this?

Any help to point me in the right direction would be appreciated.

6 REPLIES 6
Toshi_Esumi
Esteemed Contributor III

The first link is for a KB describing site-to-site VPN but between FGT and Cisco router, and running OSPF over it. But yours seem to be FG30E-FG60D. Are you using OSPF? There should be some cookbooks for FGT-FGT with OSPF. If those subnets are directly connected to either side of FGT, you don't need OSFP.

 

When you troubleshoot, use below options to set a proper source IP to ping/traceroute through the tunnel. Otherwise they pickup the tunnel interface IP, which might not be included in phase2 selectors.

 

Make sue the tunnel is up, then if policies for both directions are right without NAT, you need to check routing-table on FG60D if the routes for the other end are there pointing into the tunnel.

andre_marsaioli

Hi Toshi,

thanks for reply and help me.

 

I don't use OSPF in this situation. It's a simple VPN IPSEC WIZARD, i make exactly to connect another site of my company (FG30E-FG60D)

and works.

andre_marsaioli
New Contributor

Toshi,

 

look this.

I search for routing tables and executed some commands in cli.

 

 

andre_marsaioli

I deleted route, but continue the same issue...

go4itnow

If you do a ping from cli, with older version you must do

exec ping-options source x.x.x.x where x.x.x.x is the ip of the local lan interface,

before you start ping.

go4itnow

Labels
Top Kudoed Authors