asked on IPSec VPN - can only ping lower range of subnet
I have an IPSec VPN from a Zyxel to a Fortigate. It's working as expected with one exception. I can only ping the lower half or the remote subnet.
My VPN goes from site A to site B. My remote site IP range\subnet is 192.168.0.0/23, so, I'm expecting to ping all of the 192.168.0.x IPs, which I can, AND I'm expecting to ping all of the 192.168.1.x IPs, which I can't. Funny thing is, I have a VPN similar to this (different IP ranges, but same type VPN) and I can ping the full range. I feel like I'm missing something and honestly, my brain isn't working too well so I'm hoping someone can tell me what to check.
Thanks
Internet Protocol SecurityVPN
Last Comment
arnold
ASKER
I'm pinging from a 10.90.21.x range over to 192.169.0.0/23. I inherited the subnet I'm connecting to and actually, I only need to reach one IP on the other side so I may just change my remote subnet to that one IP and call it done. I'm mostly curious about what I did wrong and why I can't ping the upper half of the subnet.
ping might be blocked by the system's firewall.
it is hard to tell based on the limited information you provided.
Presumably the 192.168.0.0/23 is behind the fortigate.
can you jump on a system on the lower half 192.168.0.0 and see if they can ping an IP on the local 192.168.1.0 range.
are there devices on the upper half. can an upper half device ping your VPN ip?
depending on what is on the upper half and what you can do, one option if there is a workstation add an IIS role/feature
and then see if you can reach the 192.168.1.x via the browser.
it is hard to tell based on the limited information you provided.
Presumably the 192.168.0.0/23 is behind the fortigate.
can you jump on a system on the lower half 192.168.0.0 and see if they can ping an IP on the local 192.168.1.0 range.
are there devices on the upper half. can an upper half device ping your VPN ip?
depending on what is on the upper half and what you can do, one option if there is a workstation add an IIS role/feature
and then see if you can reach the 192.168.1.x via the browser.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thank you noci! You were exactly on point!
No problem, enjoy your network. (If you have a chance to change from 192.168.0.0/23 -> 192.168.{other}.0/23 ({other} being even!!). please do, it makes people pay some more attention and "adding" something else doesn't become a major accident).
The test suggested between local system would have revealed the misconfiguration.
Sounds like a DHCP scope definition issue.
Sounds like a DHCP scope definition issue.
a choice of 192.168.0.0-192.168.1.255 is a poor choice as commonly retail routers use the 192.168.0 192.168.1 and 192.168.2 as the common LAN IPs.
what is the local LAN IP from which you are pinging if it is 192.168.1.0/24 that will answer your question.