site to site vpn connected, but can't ping to remote hosts

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

site to site vpn connected, but can't ping to remote hosts

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
site to site vpn connected, but can't ping to remote hosts
site to site vpn connected, but can't ping to remote hosts
2022-09-16 15:45:20
Tags: #VPN
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.0.1 Build 20220223 Rel.68551

Hi,

 

I've created an IPsec site to site tunnel with a fortigate firewall as follow

 

LOCAL PC <=> ER605 <=> NAT ROUTER <=== INTERNET ===> FORTIGATE FIREWALL <==> REMOTE PC

 

LOCAL PC: 192.168.63.100/24

REMOTE PC: 192.168.199.100/24

 

ER605 WAN: 192.168.1.100

NAT ROUTER LAN: 192.168.1.1

 

IPsec SA show both the in and out direction tunnel is successfully connected.

 

but I can't ping from the local PC (192.168.63.100) to remote PC (192.168.199.100)

 

firewall rule is already setup to enable "All" services from vpn tunnel interface to the remote PC

 

any routing or ACL settings need to be done at the ER605 to make this work?

 

 

 

 

  0      
  0      
#1
Options
1 Reply
Re:site to site vpn connected, but can't ping to remote hosts
2022-09-17 16:10:08

after some troubleshooting, I found that when I ping from local PC 192.168.63.100 to remote PC 192.168.199.100,

packet sniffer at the fortigate firewall show that ping packet is coming from WAN interface (wan2) instead of the tunnel interface (er605)

 

 

# diagnose sniffer packet wan2 "host 192.168.199.100 and icmp"
interfaces=[wan2]
filters=[host 192.168.199.100 and icmp]
0.474739 192.168.63.100 -> 192.168.199.100: icmp: echo request
1.474547 192.168.63.100 -> 192.168.199.100: icmp: echo request
2.477363 192.168.63.100 -> 192.168.199.100: icmp: echo request
3.481467 192.168.63.100 -> 192.168.199.100: icmp: echo request
 

 

I have another ipsec tunnel created at the same fortigate connected to aws, income traffic should come through tunnel interface instead of wan 

 

# diagnose sniffer packet aws_dia "host 192.168.199.100 and icmp"
interfaces=[aws_dia]
filters=[host 192.168.199.100 and icmp]
11.852144 172.27.14.127 -> 192.168.199.100: icmp: echo request
11.852533 192.168.199.100 -> 172.27.14.127: icmp: echo reply
12.853560 172.27.14.127 -> 192.168.199.100: icmp: echo request
12.853950 192.168.199.100 -> 172.27.14.127: icmp: echo reply
 

  0  
  0  
#2
Options