Generator
asked on
Site to Site VPN - Fortigate
We have a site to site VPN using two Forigate routers - a tunel is created using the existing settings however the traffic seems to be only one way. Site A WAN 72.xx.xx.172/ LAN 192.168.58.100 Site B WAN 72.xx.xx.172/LAN 192.168.61.254 I can ping the Fortigate and any device from Site A to Site B. I cannot ping the Fortigate or any other device from Site B to Site A. We have a SCADA monitoring device and a camera at Site A that needs to be monitored at Site B. Any help would be appreciated.
ASKER
I believe that this problem is associated to a routing issue on the Site A firewall. When I try to ping any of the Site A devices I get "Destination Net Unreachable" and a tracert will not get passed the Site a firewall address. In the original question the Site A WAN address should read 72.xx.xx.174
Can you post some screen shots of your Policy setup and VPN config? Or just post your config with external IP's changed?
Have you followed this example?
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30023&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=5147783&stateId=0 0 5149062
Have you followed this example?
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30023&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=5147783&stateId=0 0 5149062
ASKER
I had that example that you provided a link to - the setup we have is similar and I double checked all the settings but still no luck. The Site B firewall seems to be unaware of the 192.168.58.0 subnet at the other end and that's why I'm getting the "Destination Net Unreachable" message on the ping commands. Tracert from Site B will only show the Site B router address and then fails.
I have attached the Address and Policy screen shots. Site A is Flycreek and Site B is RRCA. I believe that the tunnel setup is correct - we can ping the firewall at Site B from Site A. Thanks.
Address.jpg
Policy.jpg
I have attached the Address and Policy screen shots. Site A is Flycreek and Site B is RRCA. I believe that the tunnel setup is correct - we can ping the firewall at Site B from Site A. Thanks.
Address.jpg
Policy.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I did what you suggested and now it's working fine. Thank you!
http://www.computing.net/answers/networking/site-to-site-vpn-with-2-lan-subnets/34629.html
from ee
https://www.experts-exchange.com/questions/21881945/about-site-to-site-VPN.html
https://www.experts-exchange.com/questions/22635563/Site-to-Site-to-Site-VPN's-and-fortinet.html