Ping CLI on web panel and SSH does not respond to FG VPN | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Hot!Ping CLI on web panel and SSH does not respond to FG VPN

Author Post Essentials Only Full Version
Cleyton Agenil da Silva New Member Total Posts : 12 Scores: 0 Reward points: 0 Joined: 2020/06/18 11:35:24 Status: offline 2020/11/30 04:20:31 (permalink) 0 Ping CLI on web panel and SSH does not respond to FG VPN Dear I have the following scenario: I have two Fortigate connected via Ipsec VPN (FG 80E HQ + FG 50E BRANCH) Behind the FG 80E HQ I have a Windows DNS server, resolving the DNS of the station behind the FG 50E. However, in the web management console of the FG 50E Branch in the DNS -> DNS Settings option, I specify DNS windows behind the FG 80E HQ. However DNS Servers is red, indicating that the Windows DNS server was not found. When pinging through the CLI console on the web panel or via SSH an error message appears, as shown in the image attached in this post. The LAN interface ip on the FG 80E HQ also does not respond to ping. Attached Image(s) #1 5 Replies Related Threads
brycemd Gold Member Total Posts : 121 Scores: 10 Reward points: 0 Joined: 2016/12/03 11:24:30 Status: offline Re: Ping CLI on web panel and SSH does not respond to FG VPN 2020/11/30 10:08:33 (permalink) 5 (1) The issue in both cases is source IP. The fortigate will use the interface IP it leaves from as it's source, in this case the IPSEC tunnel. The problem being that by default that IP is going to be 0.0.0.0 so it's effectively unroutable as a source IP. Unless you want to IP your IPSEC tunnel interfaces and make them routable you need to specify the source IP. For DNS: config sys dns set source-ip x.x.x.x end For ping: exec ping-options source x.x.x.x exec ping x.x.x.x There are source ip options like this for other services as well.. LDAP, RADIUS, etc. That are useful for IPSEC tunnels. post edited by brycemd - 2020/11/30 10:10:32 #2
Cleyton Agenil da Silva New Member Total Posts : 12 Scores: 0 Reward points: 0 Joined: 2020/06/18 11:35:24 Status: offline Re: Ping CLI on web panel and SSH does not respond to FG VPN 2020/12/01 06:05:32 (permalink) 0 Thanks for the tip brycemd I configured the Tunel interface, removing the default ip 0.0.0.0 and adding the source ip (Addressing mode Manual IP 10.1.2.1/32 and remote IP / Netmask 10.1.1.1/24 - Destination IP) I tried to route IP from the IPSENC VPN interface, but I'm not getting it. #3
slashdes New Member Total Posts : 6 Scores: 0 Reward points: 0 Joined: 2017/11/09 05:39:06 Status: offline Re: Ping CLI on web panel and SSH does not respond to FG VPN 2020/12/02 12:30:52 (permalink) 0 Hi! I have the same problem. How i can make routable IP and IPsec if ? #4
brycemd Gold Member Total Posts : 121 Scores: 10 Reward points: 0 Joined: 2016/12/03 11:24:30 Status: offline Re: Ping CLI on web panel and SSH does not respond to FG VPN 2020/12/02 12:58:43 (permalink) 5 (1) The commands I put above are to get around the need for routable IPSEC interfaces. So that will work when they are set to the default 0.0.0.0.(the source IP you input being the LAN IP) If you do want to make them routable it's a matter of assigning them a /32 IP on both ends and simply creating a route so it can get to each other. ie, on site A you assign 10.20.20.10/32 and on site B you assign 10.20.20.60/32. On site A create a route sending 10.20.20.60 across the tunnel, and on site B create a route sending 10.20.20.10 across the tunnel. You may need to add the 'routing subnet' to the phase 2 of the tunnel or simply change the phase 2 to 0.0.0.0/0.0.0.0 This will make it so when the traffic originating from the FortiGate itself going across the tunnel has a valid IP and the other side knows how to return the traffic. #5
slashdes New Member Total Posts : 6 Scores: 0 Reward points: 0 Joined: 2017/11/09 05:39:06 Status: offline Re: Ping CLI on web panel and SSH does not respond to FG VPN 2020/12/03 01:23:20 (permalink) 0 HI! Thank you for the answer. My scheme is FG60->NAT FG61->internet->FG100 In my route table on FG60 i have three records which created after IPsec create. One of that rows is 0.0.0.0/0.0.0.0 through Ipsec interface. In phase2 Remote address parameter is 0.0.0.0/0.0.0.0. I have successful ping from FG60 to remote networks behind FG100 with parameter SRC IP. What i do wrong? post edited by slashdes - 2020/12/03 01:24:22 #6

Jump to:

© 2021 APG vNext Commercial Version 5.5