getdanonit
asked on
Fortigate 100A IPSEC VPN Draytek Vigor 2820 One way ping
I have setup an IPSEC VPN tunnel between 2 sites. The Draytek Vigor 2820 dials the fortigate 100a and the tunnel comes up ok. I can ping all devices behind the Fortigate with no problem, but when pinging the other direction I get nothing.
Fortigate has an internal subnet 192.168.111.0/24
Draytek has an internal subnet 192.168.100.0/24
I can see on the stats of the fotigate that data is going both ways so what could be stopping me pinging the Draytek and that network.
If iI tracerout the external IP of the Draytek from behind the Fortigate it goes through as expected. If I tracert the internal IP of the Draytek it gets half way then times out.
If I tracert the Fortigate from the Draytek I get nothing, yet all pings work fine. Even exchange and rdp are working fine.
This doesn't make sense to me. What am a I missing?
Fortigate has an internal subnet 192.168.111.0/24
Draytek has an internal subnet 192.168.100.0/24
I can see on the stats of the fotigate that data is going both ways so what could be stopping me pinging the Draytek and that network.
If iI tracerout the external IP of the Draytek from behind the Fortigate it goes through as expected. If I tracert the internal IP of the Draytek it gets half way then times out.
If I tracert the Fortigate from the Draytek I get nothing, yet all pings work fine. Even exchange and rdp are working fine.
This doesn't make sense to me. What am a I missing?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK I have now got this working. I already had a rule on the Draytek to allow traffic from the VPN to the LAN. This still wasn't working though. I looked at the config on the Fortigate again and moved the policy I had for the VPN tunnel higher up the list. I put this policy at the top, above our VPN policy for users that connect from their desktops and bang, the dirt is gone. All working as expected and now have Active Directory replicating perfectly.
Digitap you did help me with this, and as you are the only one who replied I am going to award the points to you. Thank you.
Digitap you did help me with this, and as you are the only one who replied I am going to award the points to you. Thank you.
sorry i couldn't pinpoint it more exacting, but thanks for the points! glad you got it working...
ASKER