Hot!Ping CLI on web panel and SSH does not respond to FG VPN

Author
Cleyton Agenil da Silva
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/18 11:35:24
  • Status: offline
2020/11/30 04:20:31 (permalink)
0

Ping CLI on web panel and SSH does not respond to FG VPN

Dear
I have the following scenario:
I have two Fortigate connected via Ipsec VPN (FG 80E HQ + FG 50E BRANCH)
Behind the FG 80E HQ I have a Windows DNS server, resolving the DNS of the station behind the FG 50E.
However, in the web management console of the FG 50E Branch in the DNS -> DNS Settings option, I specify DNS windows behind the FG 80E HQ.
However DNS Servers is red, indicating that the Windows DNS server was not found.
When pinging through the CLI console on the web panel or via SSH an error message appears, as shown in the image attached in this post.
The LAN interface ip on the FG 80E HQ also does not respond to ping.

Attached Image(s)

#1

5 Replies Related Threads

    brycemd
    Gold Member
    • Total Posts : 121
    • Scores: 10
    • Reward points: 0
    • Joined: 2016/12/03 11:24:30
    • Status: offline
    Re: Ping CLI on web panel and SSH does not respond to FG VPN 2020/11/30 10:08:33 (permalink)
    5 (1)
    The issue in both cases is source IP. The fortigate will use the interface IP it leaves from as it's source, in this case the IPSEC tunnel. The problem being that by default that IP is going to be 0.0.0.0 so it's effectively unroutable as a source IP. Unless you want to IP your IPSEC tunnel interfaces and make them routable you need to specify the source IP.
     
    For DNS:
    config sys dns
    set source-ip x.x.x.x
    end
     
    For ping:
     
    exec ping-options source x.x.x.x
    exec ping x.x.x.x
     
    There are source ip options like this for other services as well.. LDAP, RADIUS, etc. That are useful for IPSEC tunnels.
    post edited by brycemd - 2020/11/30 10:10:32
    #2
    Cleyton Agenil da Silva
    New Member
    • Total Posts : 12
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/06/18 11:35:24
    • Status: offline
    Re: Ping CLI on web panel and SSH does not respond to FG VPN 2020/12/01 06:05:32 (permalink)
    0
    Thanks for the tip brycemd
     
    I configured the Tunel interface, removing the default ip 0.0.0.0 and adding the source ip (Addressing mode
    Manual IP 10.1.2.1/32 and remote IP / Netmask 10.1.1.1/24 - Destination IP)
    I tried to route IP from the IPSENC VPN interface, but I'm not getting it.
    #3
    slashdes
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/11/09 05:39:06
    • Status: offline
    Re: Ping CLI on web panel and SSH does not respond to FG VPN 2020/12/02 12:30:52 (permalink)
    0
    Hi! I have the same problem. How i can make routable IP and IPsec if ?
    #4
    brycemd
    Gold Member
    • Total Posts : 121
    • Scores: 10
    • Reward points: 0
    • Joined: 2016/12/03 11:24:30
    • Status: offline
    Re: Ping CLI on web panel and SSH does not respond to FG VPN 2020/12/02 12:58:43 (permalink)
    5 (1)
    The commands I put above are to get around the need for routable IPSEC interfaces. So that will work when they are set to the default 0.0.0.0.(the source IP you input being the LAN IP)
     
    If you do want to make them routable it's a matter of assigning them a /32 IP on both ends and simply creating a route so it can get to each other. ie, on site A you assign 10.20.20.10/32 and on site B you assign 10.20.20.60/32. On site A create a route sending 10.20.20.60 across the tunnel, and on site B create a route sending 10.20.20.10 across the tunnel. You may need to add the 'routing subnet' to the phase 2 of the tunnel or simply change the phase 2 to 0.0.0.0/0.0.0.0
     
    This will make it so when the traffic originating from the FortiGate itself going across the tunnel has a valid IP and the other side knows how to return the traffic.
    #5
    slashdes
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/11/09 05:39:06
    • Status: offline
    Re: Ping CLI on web panel and SSH does not respond to FG VPN 2020/12/03 01:23:20 (permalink)
    0
    HI! Thank you for the answer.
    My scheme is FG60->NAT FG61->internet->FG100
    In my route table on FG60 i have three records which created after IPsec create.
    One of that rows is 0.0.0.0/0.0.0.0 through Ipsec interface.
    In phase2 Remote address parameter is 0.0.0.0/0.0.0.0.
    I have successful ping from FG60 to remote networks behind FG100 with parameter SRC IP.
    What i do wrong?
    post edited by slashdes - 2020/12/03 01:24:22
    #6
    Jump to:
    © 2021 APG vNext Commercial Version 5.5