I’m creating a new Hub and Spoke VPN. I’ve connected the fist spoke and the link is showing connected but I can not ping the internal subnet across the VPN. I can however ping the interface on the opposite end. I’ve created a static route to look across the VPN connection but I’m unable to communicate. What is missing or what should I be looking at? Below is a simple sketch of the setup and the static routes I’ve setup.
Do you have a firewall policy permitting that traffic?
Do a flow debug
diag debug en
diag debug flow filter saddr <source ip>
diag debug flow filter daddr <dst ip>
diag debug flow trace start 100
Then start a ping from the source to the destination. The output should tell you if its routing or policy.
fw policy? route based phase2 for 0.0.0.0/0? can try to NAT and see if traffic gets there via nearest NAT’d IP…
I use BGP for my sandbox setup hub & spoke setup with xauth - static routes should work just fine tho…
Kinda stupid but it’s caught me a couple times.
Did you do ping options first setting the source the IP of the firewall than try pinging your destination?
Another thing I thought about is if you’re not using 0.0.0.0 for the phase 2’s then you’ll need to specify all the networks you’ll need access to over the vpn tunnel both in a policy and the phase 2
There are policies created by the wizard that look like they should be allowing the traffic. I realize I’m probably missing something, very new to Fortinet. The policies are:
Hub
config firewall policy
edit 20
set name “vpn_MainOffice_Hub_spoke2hub_0”
set uuid 38d417ee-57be-51ee-d973-6dfaa8e56d38
set srcintf “MainOffice_Hub”
set dstintf “_default”
set action accept
set srcaddr “all”
set dstaddr “MainOffice_Hub_local”
set schedule “always”
set service “ALL”
set comments “VPN: MainOffice_Hub (Created by VPN wizard)”
next
end
config firewall policy
edit 21
set name “vpn_MainOffice_Hub_spoke2spoke_0”
set uuid 39354190-57be-51ee-1670-63a99272a736
set srcintf “MainOffice_Hub”
set dstintf “MainOffice_Hub”
set action accept
set srcaddr “all”
set dstaddr “all”
set schedule “always”
set service “ALL”
set comments “VPN: MainOffice_Hub (Created by VPN wizard)”
next
end
Spoke
config firewall policy
edit 2
set name “vpn_FireStn2_Spoke1_remote_0”
set uuid 6111d12e-57be-51ee-a77e-02d171cf24e1
set srcintf “FireStn2_Spoke1”
set dstintf “lan”
set action accept
set srcaddr “all”
set dstaddr “FireStn2_Spoke1_local”
set schedule “always”
set service “ALL”
set comments “VPN: FireStn2_Spoke1 (Created by VPN wizard)”
next
end
config firewall policy
edit 4
set name “vpn_FireStn2_Spoke1_local_0”
set uuid 612deac6-57be-51ee-1083-829da2d9e9fe
set srcintf “lan”
set dstintf “FireStn2_Spoke1”
set action accept
set srcaddr “all”
set dstaddr “all”
set schedule “always”
set service “ALL”
set comments “VPN: FireStn2_Spoke1 (Created by VPN wizard)”
next
end
This. Coming over from the ASA world where using the wizard would generate a any any rule for you it still trips me sometimes.
It looks like it is routing, I ran the diag on both ends and sent ping from the spoke to hub and got following output:
Output on Spoke:
FG-FireSTN2 # id=65308 trace_id=5 func=print_pkt_detail line=5779 msg=“vd-root:0 received a packet(proto=1, 192.168.16.100:1->192.168.0.8:2048) tun_id=0.0.0.0 from lan. type=8, code=0, id=1, seq=52.”
id=65308 trace_id=5 func=init_ip_session_common line=5964 msg=“allocate a new session-00013569, tun_id=0.0.0.0”
id=65308 trace_id=5 func=vf_ip_route_input_common line=2605 msg=“find a route: flag=04000000 gw-131.226.49.43 via FireStn2_Spoke1”
id=65308 trace_id=5 func=__iprope_tree_check line=528 msg=“gnum-100004, use int hash, slot=41, len=2”
id=65308 trace_id=5 func=fw_forward_handler line=990 msg=“Allowed by Policy-4:”
id=65308 trace_id=5 func=ipsecdev_hard_start_xmit line=669 msg=“enter IPSec interface FireStn2_Spoke1, tun_id=0.0.0.0”
id=65308 trace_id=5 func=_do_ipsecdev_hard_start_xmit line=229 msg=“output to IPSec tunnel FireStn2_Spoke1 vrf 0”
id=65308 trace_id=5 func=esp_output4 line=895 msg=“IPsec encrypt/auth”
id=65308 trace_id=5 func=ipsec_output_finish line=629 msg=“send to 172.16.30.1 via intf-wan”
id=65308 trace_id=6 func=print_pkt_detail line=5779 msg=“vd-root:0 received a packet(proto=1, 192.168.16.100:1->192.168.0.8:2048) tun_id=0.0.0.0 from lan. type=8, code=0, id=1, seq=53.”
id=65308 trace_id=6 func=resolve_ip_tuple_fast line=5867 msg=“Find an existing session, id-00013569, original direction”
id=65308 trace_id=6 func=npu_handle_session44 line=1199 msg=“Trying to offloading session from lan to FireStn2_Spoke1, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x05040000”
id=65308 trace_id=6 func=ip_session_install_npu_session line=358 msg=“npu session installation succeeded”
id=65308 trace_id=6 func=fw_forward_dirty_handler line=436 msg=“state=00010200, state2=00000000, npu_state=05000400”
id=65308 trace_id=6 func=ipsecdev_hard_start_xmit line=669 msg=“enter IPSec interface FireStn2_Spoke1, tun_id=0.0.0.0”
id=65308 trace_id=6 func=_do_ipsecdev_hard_start_xmit line=229 msg=“output to IPSec tunnel FireStn2_Spoke1 vrf 0”
id=65308 trace_id=6 func=esp_output4 line=895 msg=“IPsec encrypt/auth”
id=65308 trace_id=6 func=ipsec_output_finish line=629 msg=“send to 172.16.30.1 via intf-wan”
Output on Hub
FG100F-HA1 # id=65308 trace_id=3 func=print_pkt_detail line=5779 msg=“vd-root:0 received a packet(proto=1, 192.168.16.100:1->192.168.0.8:2048) tun_id=10.10.2.3 from MainOffice_Hub. type=8, code=0, id=1, seq=52.”
id=65308 trace_id=3 func=init_ip_session_common line=5964 msg=“allocate a new session-0002a257, tun_id=10.10.2.3”
id=65308 trace_id=3 func=vf_ip_route_input_common line=2605 msg=“find a route: flag=04000000 gw-192.168.0.8 via _default”
id=65308 trace_id=3 func=__iprope_tree_check line=528 msg=“gnum-100004, use int hash, slot=2, len=6”
id=65308 trace_id=3 func=fw_forward_handler line=990 msg=“Allowed by Policy-20:”
id=65308 trace_id=4 func=print_pkt_detail line=5779 msg=“vd-root:0 received a packet(proto=1, 192.168.16.100:1->192.168.0.8:2048) tun_id=10.10.2.3 from MainOffice_Hub. type=8, code=0, id=1, seq=53.”
id=65308 trace_id=4 func=resolve_ip_tuple_fast line=5867 msg=“Find an existing session, id-0002a257, original direction”
id=65308 trace_id=4 func=npu_handle_session44 line=1199 msg=“Trying to offloading session from MainOffice_Hub to _default, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x04000000”
id=65308 trace_id=4 func=ip_session_install_npu_session line=358 msg=“npu session installation succeeded”
id=65308 trace_id=4 func=fw_forward_dirty_handler line=436 msg=“state=00010200, state2=00000000, npu_state=04000400”
This will get you. exec ping-option source x.x.x.x(interface ip)
Shouldn’t be a problem unless your routes are set up weird or you use multiple VDOMs
So for example you’ll need 192.168.16.0/24 as a phase 2 of the the spoke remote and 192.168.0.0/24 as the local and then flip them at the hub end. You probably already have that but figured I’d share just in case
Check if you actually see return traffic with diagnose sniffer.