Site to Site VPN - Fortigate

We have a site to site VPN using two Forigate routers - a tunel is created using the existing settings however the traffic seems to be only one way. Site A WAN 72.xx.xx.172/ LAN Site B WAN 72.xx.xx.172/LAN I can ping the Fortigate and any device from Site A to Site B. I cannot ping the Fortigate or any other device from Site B to Site A.  We have a SCADA monitoring device and a camera at Site A that needs to be monitored at Site B. Any help would be appreciated.
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

iworks-uworksConnect With a Mentor Commented:
What firmware version are you running, it looks old?
Off the bat I'd say you need to move your VPN policies above everything else. It looks like you have an "all to all" policy above your VPN policy which is being "read" first in the processing by the firewall so since this rule matches everything it's not getting down to the next one. Try moving your RRCAlan VPN policy above Policy 11 and see if you can communicate then. Let me know.

GeneratorAuthor Commented:
I believe that this problem is associated to a routing issue on the Site A firewall. When I try to ping any of the Site A devices I get "Destination Net Unreachable" and a tracert will not get passed the Site a firewall address. In the original question the Site A WAN address should read 72.xx.xx.174
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Can you post some screen shots of your Policy setup and VPN config? Or just post your config with external IP's changed?

Have you followed this example? 0 5149062
GeneratorAuthor Commented:
I had that example that you provided a link to - the setup we have is similar and I double checked all the settings but still no luck. The Site B firewall seems to be unaware of the subnet at the other end and that's why I'm getting the "Destination Net Unreachable" message on the ping commands. Tracert from Site B will only show the Site B router address and then fails.
I have attached the Address and Policy screen shots. Site A is Flycreek and Site B is RRCA. I believe that the tunnel setup is correct - we can ping the firewall at Site B from Site A. Thanks.
GeneratorAuthor Commented:
I did what you suggested and now it's working fine. Thank you!
All Courses

From novice to tech pro — start learning today.