Hot!IPSec VPN: Client traffic goes through. Remote firewall has no access.

Author
random_guy
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/12 05:49:55
  • Status: offline
2020/01/21 09:06:58 (permalink) 6.0
0

IPSec VPN: Client traffic goes through. Remote firewall has no access.

Home site: 192.168.0.0/24
Remote site: 10.2.2.0/24
 
Tunnel is up. Clients on either subnet can access resources on either. Remote site FGT cannot see anything on home site.
 
ie can't ping 192.168.0.1 from FGT or access FortiManager and Fortianalyzer on 192.168.0.0. 
 
id=20085 trace_id=6 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=1, XX.XX.XX.XX:1024->192.168.0.100:2048) from local. type=8, code=0, id=1024, seq=0."
id=20085 trace_id=6 func=init_ip_session_common line=5657 msg="allocate a new session-0000112e"
id=20085 trace_id=6 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-To_HOME"
id=20085 trace_id=6 func=ipsec_common_output4 line=804 msg="No matching IPsec selector, drop"

 
I'm assuming I'm missing something on the interfaces of the remote site?
 
WAN1: XX.XX.XX.XX (external IP)
 -TO_HOME 0.0.0.0 (Tunnel Interface)
Hardware switch: 10.2.2.2
 
 
#1

9 Replies Related Threads

    rwpatterson
    Expert Member
    • Total Posts : 8434
    • Scores: 199
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: IPSec VPN: Client traffic goes through. Remote firewall has no access. 2020/01/21 10:44:41 (permalink)
    0
    Draw a quick pic so we can see the network layout. IP addresses are optional as long as you lay out with names, similar to:
    [remote]---[10.2.2.0]--vpn--[home]

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #2
    random_guy
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/12 05:49:55
    • Status: offline
    Re: IPSec VPN: Client traffic goes through. Remote firewall has no access. 2020/01/21 11:45:45 (permalink)
    0
    Home: FGT200 192.168.0.100/24 (Transparent Mode) - Router - |Internet| - Remote: FGT60E NAT 10.2.2.0/24
     
    When I change the ping-source to 10.2.2.2, I can get a reply from anything 192.168.0.x but still no connectivity to FortiManager or FortiAnalyzer (both on 192.168.0.x and can be pinged) 
     
    Remote config:
    config system interface
        edit "wan1"
            set vdom "root"
            set mode dhcp
            set allowaccess ping
            set type physical
            set role wan
            set snmp-index 1
        next
        edit "wan2"
            set vdom "root"
            set mode dhcp
            set allowaccess ping fgfm
            set type physical
            set role wan
            set snmp-index 2
        next
        edit "dmz"
            set vdom "root"
            set ip 10.10.10.1 255.255.255.0
            set allowaccess ping https http fgfm capwap
            set status down
            set type physical
            set role dmz
            set snmp-index 3
        next
        edit "modem"
            set vdom "root"
            set mode pppoe
            set type physical
            set snmp-index 4
        next
        edit "ssl.root"
            set vdom "root"
            set type tunnel
            set alias "SSL VPN interface"
            set snmp-index 5
        next
        edit "internal"
            set vdom "root"
            set ip 10.2.2.2 255.255.255.0
            set allowaccess ping https ssh http fgfm capwap
            set type hard-switch
            set stp enable
            set role lan
            set snmp-index 6
        next
        edit "To_HOME"
            set vdom "root"
            set ip 0.0.0.0 255.255.255.255
            set allowaccess fgfm
            set type tunnel
            set snmp-index 7
            set interface "wan1"
        next
        edit "internal4"
            set vdom "root"
            set type physical
            set snmp-index 8
        next
    end

     
     
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 1928
    • Scores: 168
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: IPSec VPN: Client traffic goes through. Remote firewall has no access. 2020/01/21 14:27:06 (permalink)
    0
    Set an ip like 10.0.0.1/32 on one side, like Home-site's To_HOME interface, and 10.0.0.2/32 on "remote-ip" on the same interface. Do the opposite on the other side. Then add them to phase2 selector sets to let it access to the other side subnets. Routing would be automatically there as connected routes. When you access from the FGT, the FGT use it as the source IP. With interface-mode IPSec the tunnel interface should have an IP for routing to work.
    #4
    random_guy
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/12 05:49:55
    • Status: offline
    Re: IPSec VPN: Client traffic goes through. Remote firewall has no access. 2020/01/22 06:37:03 (permalink)
    0
    I can see where to add this on the remote firewall on the To_HOME tunnel interface. Right now it is 0.0.0.0/32. I'm a little confused on where to add it on HOME (FGT200 transparent). 
     
    The root vdom is in transparent mode and does not have any addresses tied to an interface. Our edge router forwards UDP 500/4500 to 192.168.0.100 which is the manageip of the root vdom.
     
    config system settings
        set opmode transparent
        set inspection-mode flow
        set manageip 192.168.0.100/255.255.252.0
        set sip-helper enable
        set gui-policy-based-ipsec enable
        set gui-ips enable
        set gui-wireless-controller disable
        set gui-allow-unnamed-policy enable
    end

     
    If there are other portions of the config I can upload, please let me know.
     
    Thanks
     
    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 1928
    • Scores: 168
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: IPSec VPN: Client traffic goes through. Remote firewall has no access. 2020/01/22 08:41:31 (permalink)
    0
    I didn't know a transparent mode FGT (or vdom) can terminate IPSec VPNs. And I'm not sure if you can access the other side FROM the transparent mode FGT. I'll let the other who knows more about transparent mode speak up.
    #6
    random_guy
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/12 05:49:55
    • Status: offline
    Re: IPSec VPN: Client traffic goes through. Remote firewall has no access. 2020/01/23 13:12:06 (permalink)
    0
    Entered a support ticket and got the problem resolved in case anyone stumbles across this. 
     
    On Phase 1 of the tunnel on the FGT200: set npu-offload disable 
    #7
    Toshi Esumi
    Expert Member
    • Total Posts : 1928
    • Scores: 168
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: IPSec VPN: Client traffic goes through. Remote firewall has no access. 2020/01/23 14:08:56 (permalink)
    0
    That's not a resolution but a work-around. It must be a bug related asic handling. What version of FortiOS are you running?
    #8
    random_guy
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/12 05:49:55
    • Status: offline
    Re: IPSec VPN: Client traffic goes through. Remote firewall has no access. 2020/01/24 05:37:40 (permalink)
    0
    6.04
    #9
    Toshi Esumi
    Expert Member
    • Total Posts : 1928
    • Scores: 168
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: IPSec VPN: Client traffic goes through. Remote firewall has no access. 2020/01/24 08:42:37 (permalink)
    0
    You should consider upgrading it to the latest 6.0, which is 6.0.9 released this week. Without asic-offload enabled, performance of encrypting/decrypting traffic over the tunnel is lower and it impacts CPU load.
    #10
    Jump to:
    © 2020 APG vNext Commercial Version 5.5