Site to Site VPN - Fortigate

We have a site to site VPN using two Forigate routers - a tunel is created using the existing settings however the traffic seems to be only one way. Site A WAN 72.xx.xx.172/ LAN 192.168.58.100 Site B WAN 72.xx.xx.172/LAN 192.168.61.254 I can ping the Fortigate and any device from Site A to Site B. I cannot ping the Fortigate or any other device from Site B to Site A.  We have a SCADA monitoring device and a camera at Site A that needs to be monitored at Site B. Any help would be appreciated.
GeneratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GeneratorAuthor Commented:
I believe that this problem is associated to a routing issue on the Site A firewall. When I try to ping any of the Site A devices I get "Destination Net Unreachable" and a tracert will not get passed the Site a firewall address. In the original question the Site A WAN address should read 72.xx.xx.174
0
iworks-uworksCommented:
Can you post some screen shots of your Policy setup and VPN config? Or just post your config with external IP's changed?

Have you followed this example?
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30023&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=5147783&stateId=0 0 5149062
0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

GeneratorAuthor Commented:
I had that example that you provided a link to - the setup we have is similar and I double checked all the settings but still no luck. The Site B firewall seems to be unaware of the 192.168.58.0 subnet at the other end and that's why I'm getting the "Destination Net Unreachable" message on the ping commands. Tracert from Site B will only show the Site B router address and then fails.
I have attached the Address and Policy screen shots. Site A is Flycreek and Site B is RRCA. I believe that the tunnel setup is correct - we can ping the firewall at Site B from Site A. Thanks.
Address.jpg
Policy.jpg
0
iworks-uworksCommented:
What firmware version are you running, it looks old?
Off the bat I'd say you need to move your VPN policies above everything else. It looks like you have an "all to all" policy above your VPN policy which is being "read" first in the processing by the firewall so since this rule matches everything it's not getting down to the next one. Try moving your RRCAlan VPN policy above Policy 11 and see if you can communicate then. Let me know.
 
 

IPsec-VPN-order.PNG
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GeneratorAuthor Commented:
I did what you suggested and now it's working fine. Thank you!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.