Skip to main content
ABE_63
ABE_63
New Member
January 16, 2024
Question

Can't connect to LAN when VPN connection is made over wireless access point.

  • January 16, 2024
  • 3 replies
  • 2419 views

I have tried to create a VPN connection from a device connected to a fortinet wireless AP to a device connected to another port on the Fortigate. I have managed to successfully get an IPSec VPN connection, but when connected, i can not ping the other device. Here are the current policies I have in place in an attempt to achieve this:

 

Outbound Policy (SSID to Internal):

  • Incoming Interface: SSID interface.
  • Outgoing Interface: Port 2 (internal network).
  • Source: SSID subnet. User: VPN_User_Group
  • Destination: Internal network subnet.
  • Action: Accept.
  • Service: All.

Inbound Policy (Internal to SSID):

  • Incoming Interface: Port 2 (internal network).
  • Outgoing Interface: SSID interface.
  • Source: Internal network subnet.
  • Destination: SSID subnet.
  • Action: Accept.
  • Service: All.

IPSec Policy (IPSec to Internal):

  • Incoming Interface: IPSec interface.
  • Outgoing Interface: Port 2 (internal network).
  • Source: Client address range subnet. User: VPN_User_Group
  • Destination: Internal network subnet.
  • Action: Accept.
  • Service: All.

When i try ping the internal network interface, i get "request timed out". I can only ping as far as the AP interface. There is the port interface that the AP connects to so my next step is to look at what policies may need to be applied using this interface. Any help is greatly appreciated.

3 replies

AEK
SuperUser
AEK
SuperUser
January 16, 2024

The following may help you in troubleshooting:

  • Check the routing table of the client once it is connected to VPN
  • Check the traffic logs on FGT to see if the packets are arriving from VPN client, and if they are accepted, and if there is a reply from the VPN server
AEK
hbac
Staff
hbac
Staff
January 17, 2024

Hi @ABE_63,

 

Please run debug flow to see if the traffic is being dropped. https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/192560

 

Example (Replace x.x.x.x with destianation IP): 

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr x.x.x.x
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

 

Regards, 

mle2802
Staff
mle2802
Staff
January 17, 2024

hi @ABE_63

Can you try to run a sniffer to see packet is flowing using the command diag sniffer packet any "host X.X.X.X and icmp" 4 0 l

Regards, 

Terms & ConditionsAccessibility statement