Link to home
Start Free TrialLog in
Avatar of crp0499
crp0499Flag for United States of America

asked on

IPSec VPN - can only ping lower range of subnet

I have an IPSec VPN from a Zyxel to a Fortigate.  It's working as expected with one exception.  I can only ping the lower half or the remote subnet.

My VPN goes from site A to site B.  My remote site IP range\subnet is, so, I'm expecting to ping all of the 192.168.0.x IPs, which I can, AND I'm expecting to ping all of the 192.168.1.x IPs, which I can't.  Funny thing is, I have a VPN similar to this (different IP ranges, but same type VPN) and I can ping the full range.  I feel like I'm missing something and honestly, my brain isn't working too well so I'm hoping someone can tell me what to check.


Avatar of arnold
Flag of United States of America image

confirm netmask, if you manage the VPN, check the access rules of the VPN .
a choice of is a poor choice as commonly retail routers use the 192.168.0 192.168.1 and 192.168.2 as the common LAN IPs.

what is the local LAN IP from which you are pinging if it is that will answer your question.
Avatar of crp0499


I'm pinging from a 10.90.21.x range over to I inherited the subnet I'm connecting to and actually, I only need to reach one IP on the other side so I may just change my remote subnet to that one IP and call it done. I'm mostly curious about what I did wrong and why I can't ping the upper half of the subnet.
ping might be blocked by the system's firewall.

it is hard to tell based on the limited information you provided.

Presumably the is behind the fortigate.
can you jump on a system on the lower half and see if they can ping an IP on the local range.

are there devices on the upper half. can an upper half device ping your VPN ip?

depending on what is on the upper half and what you can do, one option if there is a workstation add an IIS role/feature
and then see if you can reach the 192.168.1.x via the browser.
Avatar of noci

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of crp0499


Thank you noci!  You were exactly on point!
Avatar of noci

No problem, enjoy your network. (If you have a chance to change from   -> 192.168.{other}.0/23   ({other} being even!!).  please do, it makes people pay some more attention and "adding" something else doesn't become a major accident).

The test suggested between local system would have revealed the misconfiguration.
Sounds like a DHCP scope definition issue.