AnsweredHot!Can not ping tunnel interface IPs

Author
nknit
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/07 07:07:40
  • Status: offline
2021/03/12 07:55:43 (permalink)
0

Can not ping tunnel interface IPs

Hello,
 
i try to ping between 2 ipsec tunnel IPs, but it does not work.
I have a FGT 101-E with these config:
config system interface
edit "VPN_W"
set vdom "root"
set ip 10.102.0.6 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.102.0.5 255.255.255.255
set snmp-index 42
set interface "wan2"
next
end
 
and a FGT 60-D with these config:
config system interface
edit "VPN_N"
set vdom "root"
set ip 10.102.0.5 255.255.255.255
set allowaccess ping https http
set type tunnel
set remote-ip 10.102.0.6 255.255.255.255
set alias "VPN-Verbindung zur N"
set snmp-index 15
set interface "wan1"
next
end
 
If i try to execute ping 10.102.0.6 an FGT 60-D or execute ping 10.102.0.5 on FGT 101-E, it does not work.
Am i correct in the assumption, that i do not need any policy, because ping is enabled at the interface?
 
Thanks
 
Markus
#1
Toshi Esumi
Expert Member
  • Total Posts : 2596
  • Scores: 255
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Can not ping tunnel interface IPs 2021/03/12 08:14:32 (permalink)
0
Those pings go inside the tunnel, therefore the tunnel needs to be up. I don't remember exactly but I think the tunnel doesn't come up without associating policies on both sides. Is there any reason you need not to have policies to test a new tunnel?
#2
nknit
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/07 07:07:40
  • Status: offline
Re: Can not ping tunnel interface IPs 2021/03/16 02:14:34 (permalink)
0
Hello Toshi,
 
thanks for reply.
I'm loking for a way to check the tunnel without the need of systems behind the tunnel endpoints. Ping between the nets behind the tunnel is possible, but i want to ping the IPs of tunnel interfaces.
Is it possible from the firewall?
 
Thanks
 
Markus
#3
Toshi Esumi
Expert Member
  • Total Posts : 2596
  • Scores: 255
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Can not ping tunnel interface IPs 2021/03/16 09:02:04 (permalink)
0
Did you add the tunnel IP set for the phase2 net selectors?
#4
nknit
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/07 07:07:40
  • Status: offline
Re: Can not ping tunnel interface IPs 2021/04/27 03:00:49 (permalink)
0
Hello Toshi,
 
thanks for your answer, but I don't know what you mean. Do I need a phase2 for a transfer net between the IPs I've set at the tunnel interfaces? And what should be local and remote net?
I've change at the tunnel interface the remote IP Netmask to 255.255.255.252. I can see it at the routing table of my firewall, the net ist directlyconnected to the VPN Interface. I have a local policy for ping from these interface, but I can not ping.
What did I miss? Or is it not possible to ping the remote-ip?
 
Thanks
 
Markus
#5
Toshi Esumi
Expert Member
  • Total Posts : 2596
  • Scores: 255
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Can not ping tunnel interface IPs 2021/04/27 09:11:47 (permalink) ☼ Best Answerby nknit 2021/05/12 06:46:19
0
What did you configur in phase2? Using the default 0/0<->0/0, then you don't have to do anything extra and should be able to ping the opposite side. But if you set anything narrower than the default, you the set of selectors need to include 10.102.0.5/32<->10.102.0.6/32.
Routing is not an issue because it's automatically injected into the routing-table.
#6
nknit
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/07 07:07:40
  • Status: offline
Re: Can not ping tunnel interface IPs 2021/05/12 06:45:47 (permalink)
0
Hello Toshi,
 
thank you for your help. It works with a phase2, of course. I get lost at the problem, so i cant see the obvious.
 
Thanks
 
Markus
#7
Jump to:
© 2021 APG vNext Commercial Version 5.5