When you create a tunnel in Fortigate, do you have to explicitly create a firewall rule to say allow traffic (port 500, 4500) from remote gateway IP to your firewall's Public IP ?
No you do not need a rule for port 500 or 4500(this is traffic to/from the actual fortigate itself which is implicitly allowed by default via local in policy) . What is required is a firewall policy referencing the ipsec tunnel interface (if that's missing then fortigate won't establish a tunnel)
Might want to check firewall policy config, ipsec selectors and routing config. If you still have trouble check out my video on sniffer. Then it might be good to call support
Yes, you should always expect traffic on port 500 regardless of NATT, NATT is specific to phase2 Here's the ports/protocols to expect depending on whether NATT is in use or not: NATT NOT being used: phase1 = UDP 500 phase2 = ESP (ie. IP protocol 50) NATT being used: phase1 = UDP 500 phase2 = UDP 4500
Brilliant, this would really help FortiGate engineers to fix all the s2s related issues.Awesome.......
newbie to fortigate, this video resolved my site-to-site vpn issue
It was really to the point. Thanks mate.
It will help to solve S2S issues thank you
very good explanation
just great. thanks for sharing.
Amazing content! Thanks so much!
Excellent video!
Interesting video, well done ! Thanks
Amazing 🎉
Thank you very much for the video !!
When you create a tunnel in Fortigate, do you have to explicitly create a firewall rule to say allow traffic (port 500, 4500) from remote gateway IP to your firewall's Public IP ?
No you do not need a rule for port 500 or 4500(this is traffic to/from the actual fortigate itself which is implicitly allowed by default via local in policy) .
What is required is a firewall policy referencing the ipsec tunnel interface (if that's missing then fortigate won't establish a tunnel)
@@tothepointfortinet3823 tnx
great job, tks!
thanks mate, very usefull information for me
Excellent
great content 🤝
i love ti, thanks
thanks for sharing
Sir my problem is that all Connections are up but no Incoming Data and Outgoing data were made.
Might want to check firewall policy config, ipsec selectors and routing config. If you still have trouble check out my video on sniffer. Then it might be good to call support
Good 🎉
tks, nice vide, if you allow me to make a question, if nat t is enable I should expect traffic in port 500 as well in phase1 ? or 4500 ? I am confuse
Yes, you should always expect traffic on port 500 regardless of NATT, NATT is specific to phase2
Here's the ports/protocols to expect depending on whether NATT is in use or not:
NATT NOT being used:
phase1 = UDP 500
phase2 = ESP (ie. IP protocol 50)
NATT being used:
phase1 = UDP 500
phase2 = UDP 4500
@@tothepointfortinet3823 tks a lot for the reply..you are a nice person :)
Wow what great content!
i already creat site to site.its successful to connect but the other side i cant ping thier ip (local ip's).
Kindly turn off that system firewall and ping
❤
Thanks
Thanks (Y)