we are setting up our remote locations and would like to use MT against FG (Fortigate). The IPSEC tunnels already work, but we can't ping devices on the particular MT itself on its own wire - it always seems to go to the tunnel. When we disable the corresponding IPSEC Policy, ping starts to work.
I have already tried many things - SRC-NAT rule accepting the local traffic before the masquarade rule, was reading some older discussions about utilising some RAW settings, but to no avail.
Here's the config on my hAP-ac2:
Code: Select all
/ip address
add address=10.110.112.1/24 interface=bridge-LOCAL network=10.110.112.0
/ip ipsec policy
add dst-address=10.110.0.0/16 peer=company src-address=10.110.112.0/24 tunnel=yes
I thought, that I will be always able to ping devices on the local wire How can I make exception and prevent ping from the local MT to its local interface network, to go into tunnel?
PS: we are able to ping devices between the tunnels. Not just locally directly on the given MTs.
The other problem is the missing keep-alive. The tunnel goes into sleep, unless the communication is initiated from the remote location. Hopefully some scheduled ping would do it.
Thanks a lot,
/Petr