Helpful ReplyHot!Unable to ping IPsec VPN connected workstations from any internal devices on my network

Author
eb951753
New Member
  • Total Posts : 6
  • Scores: 2
  • Reward points: 0
  • Status: offline
2020/07/24 06:48:07 (permalink)
0

Unable to ping IPsec VPN connected workstations from any internal devices on my network

Hello everyone,
 
I'm trying to figure out how I can allow one of my Fortinet inferface to be able to ping the "IPsec VPN" IP of my remote users (connected with Forticlient).
 
From the Fortinet itself, I'm able to ping those IPsec VPN connected workstations just fine, but I'm unable to do the same from any other interfaces (i.e. like from a server behind the Fortigate).
 
I already created an IPv4 Policy to allow the "PING" to go through between one of my internal interface to the interface of the "IPsec" interface, but that does not seem to work...
I also tried adding a static route, but that did not seem to help.
 
Anyone faced a similar issue like this before ?
Thanks for your help and best regards,
--
Eric
 
#1
eb951753
New Member
  • Total Posts : 6
  • Scores: 2
  • Reward points: 0
  • Status: offline
Re: Unable to ping IPsec VPN connected workstations from any internal devices on my networ 2020/07/24 09:01:04 (permalink)
0
I'm actually not only trying to allow "ping" from a device (workstation/server) within my organization to the "Ipsec VPN connected devices (with forticlient)", but I would like to allow other kinds of traffic as well (i.e. being able to access the local C$ shared drive on one of those remote workstations).  Once I can get the ICMP (ping) working, the rest should be easy-peasy...

--
Eric
#2
eb951753
New Member
  • Total Posts : 6
  • Scores: 2
  • Reward points: 0
  • Status: offline
Re: Unable to ping IPsec VPN connected workstations from any internal devices on my networ 2020/07/24 10:10:35 (permalink)
0
Here's a picture to illustrate my current issue:

post edited by eb951753 - 2020/07/27 05:23:37

Attached Image(s)


--
Eric
#3
ede_pfau
Expert Member
  • Total Posts : 6383
  • Scores: 547
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Unable to ping IPsec VPN connected workstations from any internal devices on my networ 2020/07/24 11:23:24 (permalink) ☄ Helpfulby eb951753 2020/07/27 06:11:41
0
hi,
 
and welcome to the forums.
For a dial-in IPsec VPN, the FGT will dynamically create a host route back to the FortiClient host. So you will not need a static route (to which gateway anyway??). But you need a policy to allow outbound traffic.
Can you try to access the client's host in a different way? Windows PCs often block ping by the internal Windows firewall (for which I hate it).
Or just make sure there is no software (Win FW, AV "all around security package") blocking external access.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#4
eb951753
New Member
  • Total Posts : 6
  • Scores: 2
  • Reward points: 0
  • Status: offline
Re: Unable to ping IPsec VPN connected workstations from any internal devices on my networ 2020/07/24 12:00:45 (permalink)
0
Hello Ede,
 
Thank you so much for your response about my current issue!
 
I was assuming that a static route was not required, thanks for clearing that one out.
 
I already have a policy that has been created for trying to get the ICMPv4 to get through:
- From: <my_internal_interface>
- To: <my_IPsec_VPN_interface>
- Source: <one of my servers>
- Destination: <List_of_IP_addresses_used_by_IPsec_VPN_forticlients>
- Service: Ping and Traceroute
 
On the Windows PC connected with forticlient, I even turned off the firewall.
I can ping it using the fortigate "cli", but I still cannot ping it using my server (the one specified in my Policy).
 
Please let me know if you think that I might still be missing something..
Thanks again!
--
Eric

--
Eric
#5
eb951753
New Member
  • Total Posts : 6
  • Scores: 2
  • Reward points: 0
  • Status: offline
Re: Unable to ping IPsec VPN connected workstations from any internal devices on my networ 2020/07/27 13:20:31 (permalink)
0
If anyone has any experience in allowing internal traffic (internal interface) to an IPsec VPN tunnel (Forticlient connected devices), please let me know. 
 
Thank you.
--
Eric

--
Eric
#6
eb951753
New Member
  • Total Posts : 6
  • Scores: 2
  • Reward points: 0
  • Status: offline
Re: Unable to ping IPsec VPN connected workstations from any internal devices on my networ 2020/08/10 05:54:43 (permalink)
5 (1)
Hello everyone,
 
I just wanted to update this forum with the solution to my original issue.
(I had to open a case with support, to get this resolved)
 
Turns out that all my routes and IPv4 Policies were setup just fine.
My issue was caused by the "net-device" feature of my IPsec tunnel that was set to "enable".
I simply had to set to "disable", in order to fix my issue, like follow:
==========================
config vpn ipsec phase1-interface
edit <VPN_name>
set net-device dis
end
==========================
 
After that, I was able to ping and traceroute the PCs of my remotely VPN connected users.
 
In FortiOS 6.0 branch net-device feature is only available for dial-up tunnels.
"enable" Creates a kernel device for every dialup instance.
"disable" Does not create a kernel device for dialup instances.

If enabled, the VPN will be creating individual interfaces.
It might create problems in handling the policy routes...
 
Hope this helps anyone else that had the same issue as mine.
Thanks!
--
Eric

--
Eric
#7
Jump to:
© 2020 APG vNext Commercial Version 5.5