Problem going throught two ipsec tunnels

Author
posadzka
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/10 03:38:41
  • Status: offline
2019/10/10 03:44:07 (permalink)
0

Problem going throught two ipsec tunnels

Hi
 
I have this configuration:
forticlientPC -----IPSEC1-------->DC1---------IPSEC2----------->DC2
 
DC1-datacenter1
DC2-datacenter2
IPSEC1-forticlient ipsec tunnel
IPSEC2-site to site permament tunnel
 
I use forticlient on Windows 10. When I connect with forticlient I can ping hosts in DC1, but not in DC2. IPSEC2 is a static tunnel site to site.
So the packets should go via first forticlient tunnel to DC1, then throught IPSEC2 to DC2.

But:
I can ping from PC to hosts in DC1.
I can ping from DC1 hosts to DC2 hosts.

When pinging from forticlientPC -> DC2 I have this debug output at Fortigate 300D in DC1:
id=20085 trace_id=477 func=resolve_ip_tuple_fast line=5450 msg="Find an existing session, id-09a8ce00, original direction"
id=20085 trace_id=477 func=npu_handle_session44 line=1096 msg="Trying to offloading session from forticlient_26 to IPSEC2, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x03000000"
id=20085 trace_id=477 func=ipsecdev_hard_start_xmit line=640 msg="enter IPsec interface-IPSEC2"
id=20085 trace_id=477 func=ipsec_common_output4 line=804 msg="SA is not ready yet, drop"

"SA is not ready yet, drop". I googled it and found suggestion that it means that tunnel is not ready. But both tunnels are up and running!
To add to confusion - after restarting fortigate 300D in DC1 it started to working for some time, and then stopped some time later...

Can you point me to some direction? I'm confused by this behaviour.
I use fortigate 300D, with firmware 5.6.11 (latest from 5.x).

 


#1

1 Reply Related Threads

    emnoc
    Expert Member
    • Total Posts : 5301
    • Scores: 347
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: Problem going throught two ipsec tunnels 2019/10/10 06:20:32 (permalink)
    0
    In your phase2 for DC-to-DC do you have the forticlient traffic-selectors configured?  the set src-subnet needs to have the fc client ranges at DC1 and DC2 the set dst-subnet must have this along with route.
     
    Ken Felix
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5