Skip to main content
Raffael_Hotz
Raffael_Hotz
New Member
October 7, 2019
Question

connect to remote vpn site through forticlient

  • October 7, 2019
  • 1 reply
  • 5675 views

Hello there,

 

I have 3 sites, A,B,C. A and C with public IP, B behind NAT. I have set up a Site-to-Site VPN between A and B, A and C and B and C. So far so good, I can work with all sites when I am in one of the local subnets. But now, I want to work remotely. With the Forticlient I can already connect to each site. But I don't wont to connect to each site, I want to connect to one site and manage all 3 sites.

 

I thought it is enough to do policies like "forticlient_interface" to "vpn_A" ,"forticlient_interface" to "vpn_b" and "vpn_A" to "forticlient_interface", "vpn_B" to "forticlient_interface". The Forticlient VPN is in the same management subnet 10.0.1.0/24 from where i can reach all sites when I am connected locally

 

Is there anything I am missing?

 

Hope you guys can help.

 

Thanks,

Raffael

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    October 7, 2019

    Check 1) routes, 2) policies, and 3) network selectors (phase2) especially at the remote sites. They need to know the the client subnet and where (VPN) to route to, and it needs to be allowed by policies and selectors.

    tranhuyvu
    tranhuyvu
    New Member
    October 8, 2019

    You're having the same /24 network on each site on your SSL VPN interface. That's the reason why you can't reach other 2 sites once you're connected to one. Here's an example of what you should do.

    Assign 10.0.1.0/24 to site A, 10.0.2.0/24 on site B, 10.0.3.0/24 on site C.

    On site A, create 2 static route. 10.0.2.0/24 goes to A-B tunnel. 10.0.3.0/24 goes to A-C tunnel

    On site B, create 2 static route. 10.0.1.0/24 goes to A-B tunnel. 10.0.3.0/24 goes to B-C tunnel

    On site C, create 2 static route. 10.0.1.0/24 goes to A-C tunnel. 10.0.2.0/24 goes to B-C tunnel

     

    Then create policies on each tunnel accordingly.

    Raffael_Hotz
    Raffael_HotzAuthor
    New Member
    October 10, 2019

    Hi,

     

    thanks for the anwsers. So no, I dont have the same subnets. They are 10.0.1.0/24, 10.10.1.0/24, and 10.20.1.0/24. The thing is, if I am on site, I am in the same subnet as I am when connected via Forticlient and then everything works fine. So i guess it is not a static routes thing, no?

     

    I will try and check my policies.

     

    Thanks so far

    Terms & ConditionsAccessibility statement