Meraki

Community

Fortigate to Meraki IPsec - traffic only going one way

Solved
GregoryW
Conversationalist
‎Dec 4 2020 10:51 AM
‎Dec 4 2020 10:51 AM

Fortigate to Meraki IPsec - traffic only going one way

Hi,

 

I'm just configuring a Meraki to Fortigate VPN, and I'm running into an issue where traffic seems to be blocked from reaching the meraki. I'm able to have the IPSEC tunnel be established and stable. From the meraki side, I'm able to ping, rdp, etc. into the FortiGate office

I'm not able to do anything from the fortigate side. Toggling the fortigate-local to meraki-remote firewall policy doesn't even make a difference. (still able to stay connected via rdp too) 

When I try to add a firewall exception on the meraki, i get an error that the address ranges does not apply to any configured local or vpn subnets.

Screenshot 2020-12-04 122517.png

When I look at the meraki route tables, It says no data.

Screenshot 2020-12-04 122337.png

Just looking for some help

 

Thanks, 

0 Kudos
1 Accepted Solution
In response to GregoryW
General-Zod
Getting noticed
‎Dec 7 2020 12:45 PM
‎Dec 7 2020 12:45 PM

Greetings @GregoryW 

 

Can you please disable NATing on your fortigate IPsec firewall policy. Local>remote

Your IPsec interface on the fortigate doesn’t have a ip associated with it (unless you have configured one) so the NAT function won’t do you any good. 

This would also explain why traffic initiated from the Meraki to Fortigate is working. The fortigate IPsec firewall Policy remote>Local should also have NAT disabled, however it’s still working as the egress interface “local-lan” does have a ip attached to its interface.

make sense?

 

 

View solution in original post

5 Replies 5
Bruce
Kind of a big deal
‎Dec 4 2020 1:26 PM
‎Dec 4 2020 1:26 PM

My gut feel here is that this is something on the Fortigate side. If the VPN is coming up and you are able to ping and RDP from the Meraki to the Fortigate then traffic is travelling successfully in both directions over the connection. This would lead me to believe that there is a firewall rule on the Fortigate that is blocking traffic that is originating on the other side.

 

The Meraki firewall rule error is because that subnet isn’t local, it’s at the remote site, and those rules don’t apply to VPN traffic. By default the Meraki MX will allow all traffic over the VPN to a learnt remote subnet (you can change this on the site-to-site VPN page, with the site-to-site outbound firewall rules).

0 Kudos
In response to Bruce
GregoryW
Conversationalist
‎Dec 7 2020 7:01 AM
‎Dec 7 2020 7:01 AM

Here's how we have the fortigate rules configured

 

GregoryW_0-1607352799813.png

 

GregoryW_1-1607352895044.png

We also tried to used the fortigate wizard to autocreate all required objects, got it switched to a custom ipsec tunnel, but still no luck 

 

 

0 Kudos
In response to GregoryW
General-Zod
Getting noticed
‎Dec 7 2020 12:45 PM
‎Dec 7 2020 12:45 PM

Greetings @GregoryW 

 

Can you please disable NATing on your fortigate IPsec firewall policy. Local>remote

Your IPsec interface on the fortigate doesn’t have a ip associated with it (unless you have configured one) so the NAT function won’t do you any good. 

This would also explain why traffic initiated from the Meraki to Fortigate is working. The fortigate IPsec firewall Policy remote>Local should also have NAT disabled, however it’s still working as the egress interface “local-lan” does have a ip attached to its interface.

make sense?

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 5 2020 1:43 PM
‎Dec 5 2020 1:43 PM

Are you sure it' not something simple like Windows Firewall on your end stopping it from working?

0 Kudos
In response to PhilipDAth
GregoryW
Conversationalist
‎Dec 7 2020 6:40 AM
‎Dec 7 2020 6:40 AM

Tried that. Also I'm trying to reach non-server devices, like switches or routers with no success. Also tried two different ISPs to make sure it wasn't a ISP firewall causing issue

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.