AnsweredHot!Routing problem between 2 FG Tunnel VPN IPsec

Author
DavidC
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/05 06:01:29
  • Status: offline
2020/12/11 07:18:56 (permalink)
0

Routing problem between 2 FG Tunnel VPN IPsec

Hello,
 
I need help solving a routing problem.
 
HQ and Brand Fortigate FW are connected via VPN IPsec Site to Site, everything is working fine, we can ping and have access from servers and ressources LAN to LAN from both side. 
 
I created a static route from Brand's LAN 10.0.151.0/24 to HQ's router 10.0.78.253 on Firewall Arkoon.
 
We host a SaaS solution with a service provider and this one to authorize the different lan to connect to the solution (France agencies + UK agency)
 
On our Arkoon Firewall, we have authorized the different LANs that must have access to the LAN of the SaaS solution, 192.168.100.0/24.
 
This works very well for all the agencies in France, except for the UK LAN with 10.0.151.0/24 addressing.
 
When i do tracert cmd from a computer brand's LAN 10.0.151.109, I can ping 10.0.78.253 and 10.0.78.254.
But, when I try ping or tracert with 192.168.100.20 it cannot found a route and it fails at first jump after 10.0.151.254.
 
Thank you in advance.
 
You can find on my screenshoot : Fortigate FW UK - static routes, ipv4 rules and topology network.

Regards,

Attached Image(s)

#1
isamt
Bronze Member
  • Total Posts : 48
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/12/29 01:52:35
  • Status: offline
Re: Routing problem between 2 FG Tunnel VPN IPsec 2020/12/13 03:53:40 (permalink)
0
Does the 192.168.100.0/24 network have a route back to the 10.0.151.0/24 network?
Routing is usually very simple. The source must have a route to the destination and the destination must have a route back to the source. Then in between policies that allow the traffic to pass. 
#2
DavidC
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/05 06:01:29
  • Status: offline
Re: Routing problem between 2 FG Tunnel VPN IPsec 2020/12/23 00:50:20 (permalink)
0
Sorry for the late answer, yes the 192.168.100.0/24 network have a route back to 10.0.151.0/24 network.
For IPv4 rules, we have allowed all traffic on both sides, between source and destination.
#3
isamt
Bronze Member
  • Total Posts : 48
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/12/29 01:52:35
  • Status: offline
Re: Routing problem between 2 FG Tunnel VPN IPsec 2020/12/23 01:58:49 (permalink)
0
You can confirm the routes are in place by running the following commands on Fortigate
 
"get router info routing-table all" - this will show the full routing table
 
Then you can check route used for say 192.168.100.0/24
"get router info routing-table details 192.168.100.0"
This will tell you where the fortigate is learning the route from and where it is sending the traffic to get to it.
 
If the above is all fine, then you will need to debug the traffic.
 
From an SSH session on the Fortigate enter
 
diagnose debug reset
diagnose debug disable
diagnose debug enable
diagnose debug console timestamp enabled
diagnose debug flow show fun en
diagnose debug flow filter clear
diagnose debug flow filter addr 192.168.100.x
diagnose debug flow filter addr 10.0.151.x
diagnose debug flow trace start 100


Run a ping between the hosts and check the debug output
When finished debugging make sure you run the following commands to turn off debug mode
 
diagnose debug reset
diagnose debug disable
#4
DavidC
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/05 06:01:29
  • Status: offline
Re: Routing problem between 2 FG Tunnel VPN IPsec 2020/12/23 05:24:25 (permalink)
0
Ok, thanks for all commands for fortigate CLI. I'll make the necessary arrangements and debug, I'll keep you posted.
Thank you,
#5
Yurisk
Gold Member
  • Total Posts : 157
  • Scores: 32
  • Reward points: 0
  • Joined: 2011/12/04 03:30:01
  • Status: online
Re: Routing problem between 2 FG Tunnel VPN IPsec 2020/12/23 05:56:25 (permalink)
0
What have you set as Proxy ID in Phase 2 configuration of VPN sites, specific networks or 0.0.0.0 ?
 
#6
DavidC
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/05 06:01:29
  • Status: offline
Re: Routing problem between 2 FG Tunnel VPN IPsec 2020/12/23 06:49:04 (permalink)
0
Yurisk
What have you set as Proxy ID in Phase 2 configuration of VPN sites, specific networks or 0.0.0.0 ?
 


In Phase 2, I have set Local Address Branch-to-HQ_local 10.0.151.0/24 and Branch-to-HQ_remote 10.0.78.0/24.
 
Thank you in advance, 
 
Regards.
post edited by DavidC - 2020/12/23 06:50:13

Attached Image(s)

#7
Phil Lofthouse
New Member
  • Total Posts : 12
  • Scores: 2
  • Reward points: 0
  • Joined: 2007/11/26 00:34:01
  • Status: offline
Re: Routing problem between 2 FG Tunnel VPN IPsec 2020/12/23 07:46:09 (permalink) ☼ Best Answerby DavidC 2021/01/05 01:59:34
5 (1)
Hi David.
 
It looks like you will need an additional Phase 2 configuring on the Branch FortiGate, to allow 10.0.151.0/24 (local) to have a tunnel to 192.168.100.0/24 (remote), with the opposite configured on the HQ FortiGate.
 
Regards,
Phil
#8
forthright
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/12/15 11:10:11
  • Status: offline
Re: Routing problem between 2 FG Tunnel VPN IPsec 2020/12/23 07:54:08 (permalink)
0
Can you post a simple diagram of your topology? I was having a similar issue and I may be able to help, but I need to see what your topology looks like. From your description, I think I am missing a piece of the topology.
 
A diagram would be helpful.
#9
forthright
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/12/15 11:10:11
  • Status: offline
Re: Routing problem between 2 FG Tunnel VPN IPsec 2020/12/23 07:56:36 (permalink)
0
I believe Phil is correct. This is exactly what I had to do. I was also going to suggest this, however I wanted to see a diagram of your topology first.
#10
Yurisk
Gold Member
  • Total Posts : 157
  • Scores: 32
  • Reward points: 0
  • Joined: 2011/12/04 03:30:01
  • Status: online
Re: Routing problem between 2 FG Tunnel VPN IPsec 2020/12/23 09:44:55 (permalink)
0
What Phil says, David, beyond routing to the 192.168 via VPN tunnel interface, you have to add Phase 2 Selectors for the networks in question as well.

In Phase 2, I have set Local Address Branch-to-HQ_local 10.0.151.0/24 and Branch-to-HQ_remote 10.0.78.0/24.
 Thank you in advance, 
 Regards.





#11
DavidC
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/05 06:01:29
  • Status: offline
Re: Routing problem between 2 FG Tunnel VPN IPsec 2021/01/05 01:58:09 (permalink)
0
Phil Lofthouse
Hi David.
 
It looks like you will need an additional Phase 2 configuring on the Branch FortiGate, to allow 10.0.151.0/24 (local) to have a tunnel to 192.168.100.0/24 (remote), with the opposite configured on the HQ FortiGate.
 
Regards,
Phil




I added the additional phase 2 as shown and by changing the ipv4 policy from HQ to branch.
It works perfectly, thank you all for your help.
#12
DavidC
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/03/05 06:01:29
  • Status: offline
Re: Routing problem between 2 FG Tunnel VPN IPsec 2021/01/05 01:58:16 (permalink)
0
Phil Lofthouse
Hi David.
 
It looks like you will need an additional Phase 2 configuring on the Branch FortiGate, to allow 10.0.151.0/24 (local) to have a tunnel to 192.168.100.0/24 (remote), with the opposite configured on the HQ FortiGate.
 
Regards,
Phil




I added the additional phase 2 as shown and by changing the ipv4 policy from HQ to branch.
It works perfectly, thank you all for your help.
#13
Jump to:
© 2021 APG vNext Commercial Version 5.5