Description | This article describes that when the dialup IPsec VPN is connected, the traffic is being dropped because of no matching firewall policy. Users can connect to the VPN successfully, however, traffic is being dropped by the FortiGate. |
Scope | FortiGate. |
Solution |
Pinging 192.192.192.191 with 32 bytes of data:
A debug flow is run on the FortiGate issuing a ping from the client. The traffic is hitting the firewall, but it is being dropped:
Challenger-kvm44 # di deb flow filter addr 20.20.20.1 Challenger-kvm44 # 2024-01-26 14:41:11 id=65308 trace_id=1 func=print_pkt_detail line=5885 msg="vd-root:0 received a packet(proto=1, 20.20.20.1:1->192.192.192.191:2048) tun_id=20.20.20.1 from IPsec_VPN. type=8, code=0, id=1, seq=30."
In the policy, there is the correct configuration to allow traffic from the tunnel to our LAN network:
config firewall policy
The Dialup IPsec VPN has been configured and listening on the port1 and wan interface. It is possible to connect successfully:
config vpn ipsec phase1-interface
Solution: If the dialup VPN configuration is set to 'Choose' a user group, it is necessary to remove the user group from our firewall policy.
Or, if the dialup VPN is using 'inherit from policy' make sure that the firewall policy is referencing the correct user group.
Pinging 192.192.192.191 with 32 bytes of data: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.