IPSec VPN - only able to ping partial range

crp0499
crp0499 used Ask the Experts™
on
I have an IPSec VPN from site 1 to site 2.  The VPN shows up and working.

From site one, I can ping the full range over at site two.  I can ping site 2's full range of 192.168.1.0/23 from site one.

From site 2, I can only ping the first range in the subnet at site 1.  The subnet at site 1 is 10.90.20.0/22 and I can ping anything in the 10.90.20.0-10.90.20.255, but nothing higher than that.

I've verified my two address objects and made sure the mask is correct, but I'm having trouble with this final problem.

Can someone point me in the right direction please?

Thank you
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Nathan HawkinsTechnical Lead - Network Security
Commented:
In any VPN you designate an encryption domain of what will be encrypted and sent thru the VPN. It sounds like you didnt set up the encryption domain correctly for site 1 in Site 2's policy. You might also need to add a route on Site 2 for the range that's not working correctly. Id check the encryption domain first.
crp0499CEO

Author

Commented:
You lost me.  I've reviewed my settings and I see Phase 1 and Phase 2 and phase 2 is where the remote subnet is configured for site 2.  I have it configured as 10.90.20.0/22 and I can ping the first portion of that subnet but nothing higher than 10.90.20.255.  Fortunately for me, the server I need is within that range so my service is working, but I want to figure out what I did wrong.

I'll review the policies on both sites while I await your reply.

Thank you Nathan for the quick response.
Nathan HawkinsTechnical Lead - Network Security

Commented:
Ok. I thought maybe what I wrote would spark an "Oh yeah" moment and you could go in and fix the problem. Since that didnt work lets get the details.

What is it that you are using at both endpoint for the VPN? As many specifics as you are comfortable in giving please.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

crp0499CEO

Author

Commented:
Site 1 is Sonicwall 4600
10.90.20.0/22

Site 2 is Fortigate 60E
192.168.0.0/23

From site 1 I can ping the entire subnet at site 2, so I can ping 192.168.1.0 - 192.168.1.255

From site 2, I can only ping 10.90.20.0-10.90.20.255, nothing higher.

I checked my address objects and both are configured correctly.

I've checked my policies and both "appear" to be good.  Under phase 2, I have the correct address objects referenced and the local and remote subnets are correct, but I can still only ping the lower range of IPs at site 2.
Nathan HawkinsTechnical Lead - Network Security

Commented:
So in most firewalls, under the properties of that firewall object in your security policy there is a section/tab where you define what is behind that Firewall (typically called a VPN domain or security domain). Here's the thing, for a VPN you need to define the other endpoint and its properties as well. So, I believe your problem is on the Fortigate, but for the Sonicwall's properties. It appears that you have set its subnet mask incorrectly. You have the subnet mask for its VPN domain set as a /24 and not /22.
crp0499CEO

Author

Commented:
ok, now I'm feeling some "oh yeah" feelings.  Let me check that.
Systems Administrator
Commented:
Try running a traceroute from Site 2 to an IP at Site 1 that is outside the range you can ping.  If you see the Fortigate sending traffic out your default gateway, you need to look at the route definitions on the Fortigate.  It's quite possible that your static route to the 10.90.20.0 network on the Fortigate has the mask set as a /24 instead of a /22.

If that is not the case, check your mask on the address object defined on the Fortigate for the 10.90.20.0 network, which would then be used in the firewall rules on the Fortinet that allows traffic between Site 1 & 2.

If everything checks out on the Fortinet, maybe review the firewall rules on the SonicWall side of things.  Somewhere, you are either only allowing access to the smaller range, or you are only defining a route to a smaller range.
crp0499CEO

Author

Commented:
I looked in the fortigate at my policy and my address objects.  The address object for the remote subnet is 10.90.20.0/22 and that seems correct to me.  That includes the correct range.  In my policy, in the fortigate, that address object is what is referenced.

did I not look in the right place, because what you are saying "sounds" like exactly my problem.  It seems I have "restricted" the other site to a /24 instead of a /22, but I can't see where.
crp0499CEO

Author

Commented:
"OH YEAH" moment!  It was in the routing where chirkware noted it might be.  Thank you both, really, I appreciate it.
crp0499CEO

Author

Commented:
Thank you both for the quick reply and the quick homing in on the problem.
Nathan HawkinsTechnical Lead - Network Security

Commented:
Well if the Fortigate is not configured correctly it would also restrict the traffic. So check that subnet on the Fortigate as well.

What does the logs say when you do the ping? It should list all the phases and then potentially where the error is.
Nathan HawkinsTechnical Lead - Network Security

Commented:
Yeah, I listed routing initially. I Suspected encryption domain first, but all of those specifics will make a VPN work or not work. Glad its fixed!
crp0499CEO

Author

Commented:
Me too.  It's been kicking my butt since yesterday!  Thanks Nathan.  It feels good to get a win.  :)
Nathan HawkinsTechnical Lead - Network Security

Commented:
If I might ask, why didnt you credit me with the solution or at least partial credit? I cited the routing issue in the initial comment.
crp0499CEO

Author

Commented:
Just for future readers, the static route in the site two fortigate was constricted to /24 and it needed to be /22.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial