USG at branches of routed IPsec via vti interfaces with BGP not working in fully symmetrical manner
Hello,
I am here to deal with a bit strange problem. I have configured IPsec VPN between Fortinet Fortigate acting as a VPN hub with public IP address, and USG20-VPN as a hidden branch witch only a private IP address.
I used verified configuration on Fortigate side (Dial-Up IPsec with addressed interface) and started to play with IPsec parameters on USG side. I configured VPN Gateway, VPN connection, VTI Interface, BGP and also a Policy route. Tunnel is up and running.
BGP routes are exchanges between VTI at USG and tunnel interface at Fortigate. VTI of USG is not pingable from Fortigate, but Fortigate interface is pingable from USG.
I am able to ping server at HQ (Fortigate side) from computer at branch (USG side), so the connection estabilished from branch side is working properly (also RDP and other protocols are working). But I am not able to ping from HQ to branch - connection initiated from HQ is not working.
After a few days of searching over, playing with parameters and reconfiguring number of setups (also policy based variant behaves in the same way) I am at the end of ideas.
Is there something that I miss?
Thanks anybody for reply.
All Replies
-
Hi @ohornig
Can you trace packet on VTI interface when try to ping from Fortigate to see if there is any request coming from Fotigate?
Here is the steps to trace packet on USG.
SSH into USG and type command below to trace the packet from fortigate.
Router> packet-trace interface vti1(Vti interface name) ip-proto icmp
And try to see if there is any packet coming from fortigate
Here is the example
Engage in the Community, become an MVP, and win exclusive prizes!
0 -
Hi Jerry,
thank you for your response, it is helpful.
I see in packet-trace:
- outgoing ICMP, if I ping from branch
- outgoing and incoming BGP exchanges between tunnel ends
No incoming traffic.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight