Hot!IPSec Tunnel Won't connect to remote fortigate

Author
Clubinski25
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/07/11 16:51:46
  • Status: offline
2019/07/11 17:00:53 (permalink)
0

IPSec Tunnel Won't connect to remote fortigate

I configured an IPSec tunnel to access my home server through Fortigate 60D. The forticlient will connect while on my home lan but when i try to access outside my home LAN it does not connect.

Can anyone assist please?
#1

7 Replies Related Threads

    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/07/11 23:19:10 (permalink)
    0
    Did you configure all destination IPs in the selectors? Do you have firewall policy for this traffic?
    #2
    Clubinski25
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/11 16:51:46
    • Status: offline
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/07/12 04:34:01 (permalink)
    0
    I am not sure what you mean by the destination IPs in the selector. This is a snap of the Policy for the Tunnel.
     
     
     
    Please advise,
     
    post edited by Clubinski25 - 2019/07/12 06:53:24

    Attached Image(s)

    #3
    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/07/12 09:11:44 (permalink)
    0
    You showed policy with destination interface 'internal'. If the resource is accessible via different interface you need a separate policy.
    Selectors - this is how you define what traffic should be sent to the tunnel. If you specify destination for example 10.0.0.0/24, you can't send traffic to 10.1.0.0/24. Verify your VPN settings (phase2).
    #4
    Clubinski25
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/11 16:51:46
    • Status: offline
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/07/12 10:54:39 (permalink)
    0
    The internal is what i want to be able to access via VPN. Phase 2 was not configured on the tunnel.

    Internal - 10.0.5.0/24

    I converted it to a custom tunnel and changed the following;
    Remote gateway - dialup User
    Specified client range = 10.0.10.100 - 10.0.10.200

    Phase 2 selectors
    Local address - Local Lan (internal interface)
    Remote addredd - IPSEC VPN range
    #5
    rwpatterson
    Expert Member
    • Total Posts : 8404
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/07/12 12:20:31 (permalink)
    0
    Clubinski25
    The internal is what i want to be able to access via VPN. Phase 2 was not configured on the tunnel.

    Internal - 10.0.5.0/24

    I converted it to a custom tunnel and changed the following;
    Remote gateway - dialup User
    Specified client range = 10.0.10.100 - 10.0.10.200

    Phase 2 selectors
    Local address - Local Lan (internal interface)
    Remote addredd - IPSEC VPN range

    Best of my knowledge:
    Remote gateway - dialup User                        (outside IP address of the remote gateway/concentrator)
    Specified client range = 10.0.10.100 - 10.0.10.200

    Phase 2 selectors
    Local address - Local Lan (internal interface)    (Same range as the client range)
    Remote addredd - IPSEC VPN range                (the subnet that you need to reach on the remote side)

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #6
    Clubinski25
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/11 16:51:46
    • Status: offline
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/07/12 12:41:52 (permalink)
    0
    rwpatterson
    Clubinski25
    The internal is what i want to be able to access via VPN. Phase 2 was not configured on the tunnel.

    Internal - 10.0.5.0/24

    I converted it to a custom tunnel and changed the following;
    Remote gateway - dialup User
    Specified client range = 10.0.10.100 - 10.0.10.200

    Phase 2 selectors
    Local address - Local Lan (internal interface)
    Remote addredd - IPSEC VPN range

    Best of my knowledge:
    Remote gateway - dialup User                        (outside IP address of the remote gateway/concentrator)
    Specified client range = 10.0.10.100 - 10.0.10.200

    Phase 2 selectors
     

    Local address - Local Lan (internal interface)    (Same range as the client range)
    Remote addredd - IPSEC VPN range                (the subnet that you need to reach on the remote side)


    I did Change the "Remote Gateway" to my ISP IP which did not work , I  have it current set to the IP of the Fortigate. When I change it from dialup user to "static IP" the Phase 2 selectors disappear and it does not allow me to set the Local Address & Remote address.
     
     
     
    Hope this helps
     
     
    #7
    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/07/12 13:07:07 (permalink)
    0
    Clubinski25
    Phase 2 selectors
    Local address - Local Lan (internal interface)
    Remote addredd - IPSEC VPN range



    You can add more addresses as a local. It allows you to reach the remote subnet. I don't know how you reach that additional subnet (from the FTG) but you need a firewall policy for it.
    The host/server in the remote subnet should know how to reach VPN users. Make sure the routing is correct.
    #8
    Jump to:
    © 2019 APG vNext Commercial Version 5.5