cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Fortigate to Meraki IPsec - traffic only going one way

SOLVED
Go to solution
GregoryW
Conversationalist
‎12-04-2020 10:51 AM
‎12-04-2020 10:51 AM

Fortigate to Meraki IPsec - traffic only going one way

Hi,

 

I'm just configuring a Meraki to Fortigate VPN, and I'm running into an issue where traffic seems to be blocked from reaching the meraki. I'm able to have the IPSEC tunnel be established and stable. From the meraki side, I'm able to ping, rdp, etc. into the FortiGate office

I'm not able to do anything from the fortigate side. Toggling the fortigate-local to meraki-remote firewall policy doesn't even make a difference. (still able to stay connected via rdp too) 

When I try to add a firewall exception on the meraki, i get an error that the address ranges does not apply to any configured local or vpn subnets.

Screenshot 2020-12-04 122517.png

When I look at the meraki route tables, It says no data.

Screenshot 2020-12-04 122337.png

Just looking for some help

 

Thanks, 

0 Kudos
Subscribe
1 ACCEPTED SOLUTION
In response to GregoryW
General-Zod
Getting noticed
‎12-07-2020 12:45 PM
‎12-07-2020 12:45 PM

Greetings @GregoryW 

 

Can you please disable NATing on your fortigate IPsec firewall policy. Local>remote

Your IPsec interface on the fortigate doesn’t have a ip associated with it (unless you have configured one) so the NAT function won’t do you any good. 

This would also explain why traffic initiated from the Meraki to Fortigate is working. The fortigate IPsec firewall Policy remote>Local should also have NAT disabled, however it’s still working as the egress interface “local-lan” does have a ip attached to its interface.

make sense?

 

 

View solution in original post

Subscribe
5 REPLIES 5
Bruce
Kind of a big deal
‎12-04-2020 01:26 PM
‎12-04-2020 01:26 PM

My gut feel here is that this is something on the Fortigate side. If the VPN is coming up and you are able to ping and RDP from the Meraki to the Fortigate then traffic is travelling successfully in both directions over the connection. This would lead me to believe that there is a firewall rule on the Fortigate that is blocking traffic that is originating on the other side.

 

The Meraki firewall rule error is because that subnet isn’t local, it’s at the remote site, and those rules don’t apply to VPN traffic. By default the Meraki MX will allow all traffic over the VPN to a learnt remote subnet (you can change this on the site-to-site VPN page, with the site-to-site outbound firewall rules).

0 Kudos
Subscribe
In response to Bruce
GregoryW
Conversationalist
‎12-07-2020 07:01 AM
‎12-07-2020 07:01 AM

Here's how we have the fortigate rules configured

 

GregoryW_0-1607352799813.png

 

GregoryW_1-1607352895044.png

We also tried to used the fortigate wizard to autocreate all required objects, got it switched to a custom ipsec tunnel, but still no luck 

 

 

0 Kudos
Subscribe
In response to GregoryW
General-Zod
Getting noticed
‎12-07-2020 12:45 PM
‎12-07-2020 12:45 PM

Greetings @GregoryW 

 

Can you please disable NATing on your fortigate IPsec firewall policy. Local>remote

Your IPsec interface on the fortigate doesn’t have a ip associated with it (unless you have configured one) so the NAT function won’t do you any good. 

This would also explain why traffic initiated from the Meraki to Fortigate is working. The fortigate IPsec firewall Policy remote>Local should also have NAT disabled, however it’s still working as the egress interface “local-lan” does have a ip attached to its interface.

make sense?

 

 

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎12-05-2020 01:43 PM
‎12-05-2020 01:43 PM

Are you sure it' not something simple like Windows Firewall on your end stopping it from working?

0 Kudos
Subscribe
In response to PhilipDAth
GregoryW
Conversationalist
‎12-07-2020 06:40 AM
‎12-07-2020 06:40 AM

Tried that. Also I'm trying to reach non-server devices, like switches or routers with no success. Also tried two different ISPs to make sure it wasn't a ISP firewall causing issue

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Community News

View all community news »

Labels
© 2023 Meraki