Skip to main content
Cglobal71
Cglobal71
New Member
June 12, 2019
Question

Access Multiple network throught IPSEC VPN forticlient

  • June 12, 2019
  • 3 replies
  • 13141 views

Hello,

 

I have a question, can I access to multiple network throught IPSEC VPN forticlient. There is the schéma infrastructure:

 

LAN A --------------FGT A----------------VPN IPSEC site to site--------------------------FGT B-----------------LAN B

192.168.1.X/24       192.168.1.1                                                                 192.168.2.1               192.168.2.X/24

                                 |

                                 |

                                 |

                                 |

                          IPSEC VPN Forticlient

                          192.168.3.x/24

 

VPN site to site working normally

When I am connected to VPN Forticlient with IP address 192.168.3.10 (For Example), I have access to network 192.168.1.0/X,

but i have no access to network 192.168.2.X/24.

I try to have somes policies, routes, etc.., still not working.

 

Any ideas on the question

 

3 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
June 12, 2019

There are many posts for similar situations, vpn to vpn, hub and spokes, etc. in the forum you can search. FortiClient wouldn't make much difference. In the end, all come down to three key issues: 1) phase2 network selectors, 2) routing over the tunnels, and 3) FW policies, at each node.

If you're confident about these, what you need to do is sniffing and "flow" debugging at each FGT. But almost sure you're missing one or two in the thee keys.

jorge_americo
jorge_americo
New Member
June 12, 2019

On the workstation with forticlient as this is the routing table? In the second phase of ipsec, which network did you define?

hubertzw
hubertzw
New Member
June 12, 2019

It wasn't in your post but you connect to FG-A, right? Does the phase 2 include both subnets: 192.168.1.0/24 and 192.168.2.0/24? Do you have a policy for remote users who connect FG-A and then connect via s-2-s tunnel to location B?

Cglobal71
Cglobal71Author
New Member
June 13, 2019

I Can connect to FG-A. No phase 2 not include subnet 192.168.2.0/24. I can't and this network on GUI. I must use CLI?

hubertzw
hubertzw
New Member
June 13, 2019

Can you show your config? There are too many settings to guess:

- split horizon - do you have this feature on?

- is there any firewall policy for user from SSL.root (or any vdom you have) to the IPsec interface?

As Toshi Esumi said in previous post you are missing one of these mandatory components (or more):

a) phase 2 selectors (you will not get the route for 192.168.2.0/24),

b) firewall policies on both end (FG-A and FG-B),

c) routing - I think the routing on FG-A should be fine but make sure on site B they know how to send traffic back, based on your source IP

Terms & ConditionsAccessibility statement