Avatar of crp0499
crp0499
Flag for United States of America asked on

IPSec VPN - can only ping lower range of subnet

I have an IPSec VPN from a Zyxel to a Fortigate.  It's working as expected with one exception.  I can only ping the lower half or the remote subnet.


My VPN goes from site A to site B.  My remote site IP range\subnet is 192.168.0.0/23, so, I'm expecting to ping all of the 192.168.0.x IPs, which I can, AND I'm expecting to ping all of the 192.168.1.x IPs, which I can't.  Funny thing is, I have a VPN similar to this (different IP ranges, but same type VPN) and I can ping the full range.  I feel like I'm missing something and honestly, my brain isn't working too well so I'm hoping someone can tell me what to check.


Thanks   

Internet Protocol SecurityVPN

Avatar of undefined
Last Comment
arnold

8/22/2022 - Mon
arnold

confirm netmask, if you manage the VPN, check the access rules of the VPN .
a choice of 192.168.0.0-192.168.1.255 is a poor choice as commonly retail routers use the 192.168.0 192.168.1 and 192.168.2 as the common LAN IPs.

what is the local LAN IP from which you are pinging if it is 192.168.1.0/24 that will answer your question.
crp0499

ASKER
I'm pinging from a 10.90.21.x range over to 192.169.0.0/23. I inherited the subnet I'm connecting to and actually, I only need to reach one IP on the other side so I may just change my remote subnet to that one IP and call it done. I'm mostly curious about what I did wrong and why I can't ping the upper half of the subnet.
arnold

ping might be blocked by the system's firewall.

it is hard to tell based on the limited information you provided.

Presumably the 192.168.0.0/23 is behind the fortigate.
can you jump on a system on the lower half 192.168.0.0 and see if they can ping an IP on the local 192.168.1.0 range.

are there devices on the upper half. can an upper half device ping your VPN ip?

depending on what is on the upper half and what you can do, one option if there is a workstation add an IIS role/feature
and then see if you can reach the 192.168.1.x via the browser.
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER CERTIFIED SOLUTION
noci

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
crp0499

ASKER
Thank you noci!  You were exactly on point!
noci

No problem, enjoy your network. (If you have a chance to change from 192.168.0.0/23   -> 192.168.{other}.0/23   ({other} being even!!).  please do, it makes people pay some more attention and "adding" something else doesn't become a major accident).

arnold

The test suggested between local system would have revealed the misconfiguration.
Sounds like a DHCP scope definition issue.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.