This command is very useful for gathering statistical data such as the number of packets encrypted versus decrypted, the number of bytes sent versus received, the SPI identifier, etc. The first diagnostic command worth running, in any IPsec VPN troubleshooting situation, is the following: diagnose vpn tunnel list
Otherwise, use the IP address of the first interface from the interface list (that has an IP address). If the egress/outgoing interface (determined by kernel route) has an IP address, then use the IP address of the egress/outgoing interface. Anything sourced from the FortiGate going over the VPN will use this IP address. In this scenario, you must assign an IP address to the virtual IPsec VPN interface. On some FortiGate units, such as the FortiGate 94D, you cannot ping over the IPsec tunnel without first setting a source-IP. If you can determine the connection is working properly then any problems are likely problems with your applications.
When a VPN connection is properly established, traffic will flow from one end to the other as if both ends were physically in the same place. Otherwise, you will need to work back through the stages to see where the problem is located. It is easiest to see if the final stage is successful first since if it is successful the other stages will be working properly. This section contains tips to help you with some common challenges of IPsec VPNs.Ī VPN connection has multiple stages that can be confirmed to ensure the connection is working properly.
0 kommentar(er)
