Link to home
Start Free TrialLog in
Avatar of crp0499
crp0499Flag for United States of America

asked on

IPSec VPN - can only ping lower range of subnet

I have an IPSec VPN from a Zyxel to a Fortigate.  It's working as expected with one exception.  I can only ping the lower half or the remote subnet.


My VPN goes from site A to site B.  My remote site IP range\subnet is 192.168.0.0/23, so, I'm expecting to ping all of the 192.168.0.x IPs, which I can, AND I'm expecting to ping all of the 192.168.1.x IPs, which I can't.  Funny thing is, I have a VPN similar to this (different IP ranges, but same type VPN) and I can ping the full range.  I feel like I'm missing something and honestly, my brain isn't working too well so I'm hoping someone can tell me what to check.


Thanks   

Avatar of arnold
arnold
Flag of United States of America image

confirm netmask, if you manage the VPN, check the access rules of the VPN .
a choice of 192.168.0.0-192.168.1.255 is a poor choice as commonly retail routers use the 192.168.0 192.168.1 and 192.168.2 as the common LAN IPs.

what is the local LAN IP from which you are pinging if it is 192.168.1.0/24 that will answer your question.
Avatar of crp0499

ASKER

I'm pinging from a 10.90.21.x range over to 192.169.0.0/23. I inherited the subnet I'm connecting to and actually, I only need to reach one IP on the other side so I may just change my remote subnet to that one IP and call it done. I'm mostly curious about what I did wrong and why I can't ping the upper half of the subnet.
ping might be blocked by the system's firewall.

it is hard to tell based on the limited information you provided.

Presumably the 192.168.0.0/23 is behind the fortigate.
can you jump on a system on the lower half 192.168.0.0 and see if they can ping an IP on the local 192.168.1.0 range.

are there devices on the upper half. can an upper half device ping your VPN ip?

depending on what is on the upper half and what you can do, one option if there is a workstation add an IIS role/feature
and then see if you can reach the 192.168.1.x via the browser.
ASKER CERTIFIED SOLUTION
Avatar of noci
noci

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of crp0499

ASKER

Thank you noci!  You were exactly on point!
Avatar of noci
noci

No problem, enjoy your network. (If you have a chance to change from 192.168.0.0/23   -> 192.168.{other}.0/23   ({other} being even!!).  please do, it makes people pay some more attention and "adding" something else doesn't become a major accident).

The test suggested between local system would have revealed the misconfiguration.
Sounds like a DHCP scope definition issue.