Hot!IPSec Tunnel Won't connect to remote fortigate

Author
Clubinski25
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/07/11 16:51:46
  • Status: offline
2019/07/11 17:00:53 (permalink)
0

IPSec Tunnel Won't connect to remote fortigate

I configured an IPSec tunnel to access my home server through Fortigate 60D. The forticlient will connect while on my home lan but when i try to access outside my home LAN it does not connect.

Can anyone assist please?
#1

9 Replies Related Threads

    hubertzw
    Gold Member
    • Total Posts : 193
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/07/11 23:19:10 (permalink)
    0
    Did you configure all destination IPs in the selectors? Do you have firewall policy for this traffic?
    #2
    Clubinski25
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/11 16:51:46
    • Status: offline
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/07/12 04:34:01 (permalink)
    0
    I am not sure what you mean by the destination IPs in the selector. This is a snap of the Policy for the Tunnel.
     
     
     
    Please advise,
     
    post edited by Clubinski25 - 2019/07/12 06:53:24

    Attached Image(s)

    #3
    hubertzw
    Gold Member
    • Total Posts : 193
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/07/12 09:11:44 (permalink)
    0
    You showed policy with destination interface 'internal'. If the resource is accessible via different interface you need a separate policy.
    Selectors - this is how you define what traffic should be sent to the tunnel. If you specify destination for example 10.0.0.0/24, you can't send traffic to 10.1.0.0/24. Verify your VPN settings (phase2).
    #4
    Clubinski25
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/11 16:51:46
    • Status: offline
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/07/12 10:54:39 (permalink)
    0
    The internal is what i want to be able to access via VPN. Phase 2 was not configured on the tunnel.

    Internal - 10.0.5.0/24

    I converted it to a custom tunnel and changed the following;
    Remote gateway - dialup User
    Specified client range = 10.0.10.100 - 10.0.10.200

    Phase 2 selectors
    Local address - Local Lan (internal interface)
    Remote addredd - IPSEC VPN range
    #5
    rwpatterson
    Expert Member
    • Total Posts : 8418
    • Scores: 197
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/07/12 12:20:31 (permalink)
    0
    Clubinski25
    The internal is what i want to be able to access via VPN. Phase 2 was not configured on the tunnel.

    Internal - 10.0.5.0/24

    I converted it to a custom tunnel and changed the following;
    Remote gateway - dialup User
    Specified client range = 10.0.10.100 - 10.0.10.200

    Phase 2 selectors
    Local address - Local Lan (internal interface)
    Remote addredd - IPSEC VPN range

    Best of my knowledge:
    Remote gateway - dialup User                        (outside IP address of the remote gateway/concentrator)
    Specified client range = 10.0.10.100 - 10.0.10.200

    Phase 2 selectors
    Local address - Local Lan (internal interface)    (Same range as the client range)
    Remote addredd - IPSEC VPN range                (the subnet that you need to reach on the remote side)

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #6
    Clubinski25
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/11 16:51:46
    • Status: offline
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/07/12 12:41:52 (permalink)
    0
    rwpatterson
    Clubinski25
    The internal is what i want to be able to access via VPN. Phase 2 was not configured on the tunnel.

    Internal - 10.0.5.0/24

    I converted it to a custom tunnel and changed the following;
    Remote gateway - dialup User
    Specified client range = 10.0.10.100 - 10.0.10.200

    Phase 2 selectors
    Local address - Local Lan (internal interface)
    Remote addredd - IPSEC VPN range

    Best of my knowledge:
    Remote gateway - dialup User                        (outside IP address of the remote gateway/concentrator)
    Specified client range = 10.0.10.100 - 10.0.10.200

    Phase 2 selectors
     

    Local address - Local Lan (internal interface)    (Same range as the client range)
    Remote addredd - IPSEC VPN range                (the subnet that you need to reach on the remote side)


    I did Change the "Remote Gateway" to my ISP IP which did not work , I  have it current set to the IP of the Fortigate. When I change it from dialup user to "static IP" the Phase 2 selectors disappear and it does not allow me to set the Local Address & Remote address.
     
     
     
    Hope this helps
     
     
    #7
    hubertzw
    Gold Member
    • Total Posts : 193
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/07/12 13:07:07 (permalink)
    0
    Clubinski25
    Phase 2 selectors
    Local address - Local Lan (internal interface)
    Remote addredd - IPSEC VPN range



    You can add more addresses as a local. It allows you to reach the remote subnet. I don't know how you reach that additional subnet (from the FTG) but you need a firewall policy for it.
    The host/server in the remote subnet should know how to reach VPN users. Make sure the routing is correct.
    #8
    Clubinski25
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/11 16:51:46
    • Status: offline
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/08/27 10:45:43 (permalink)
    0
    I double checked this and matched above settings and still not connecting the IPSEC VPN off my local network. 
     
     
    Any more suggestions?
    #9
    sw2090
    Gold Member
    • Total Posts : 470
    • Scores: 23
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: IPSec Tunnel Won't connect to remote fortigate 2019/08/27 23:55:09 (permalink)
    0
    hm you wrote you can connect to your vpn from your lan but no from outside (even if you set the isp as remote gw on your forticlient). Unfortunately you didn't provide one important detail:
     
    How is your FGT connected to the internet? Does the FGT do dialup with pppoe? Or does it even have static isp ip on an interface? In this case it should work.
     
    Or do you have a router in front of your FGT that does the connection to your isp and the wan side of the FGT is just connected to it. In this case you need to do some portforwarding on your router. You will need the ports 500/UDP (IPSEC itself) and probably 4500/UDP (NAT-Traversal if you use it) forwarded to your FGT.
     
    hth
    Sebastian
    #10
    Jump to:
    © 2019 APG vNext Commercial Version 5.5