IPSec VPN not able to connect to one side of site to site VPN tunnel

Forum|Forum|5 years ago
September 9, 2020
1 reply
2497 views

Client is using 2 Fortigate 80E firewalls configured for site to site IPSec VPN, tunnel is up, and users at both locations can access and ping across to the other site. When any user connects remotely via FortiClient program, they can only access the location the VPN is on. Cannot ping across or resolve servername. Something changed a couple of months ago as they were able to connect. We have checked settings on both ends, but do not see what would prevent. We recently onboarded this client, and do not have older backup configs to compare.

sw2090

SuperUser

So this means:

Dial UP IPsec Forticlient => FGT works and one can reach the subnets on the FGT as one should.

But one cannot reach the subnet(s) behind the other end of S2S IPSec between the two FGT correct?

I would recommend:

connect Forticlient.

check routing table on client

check routing table on both FGT

check policies on both FGT

Probably start a flow debug in cli on each FGT to see what happens to your traffic...

diag debug ena

diag debug flow filter clear

diag debug flow filter <saddr/daddr = ip>

diag debug flow trace start <numberofpackets>

this will show you if the traffic reaches the FGT and if it does which policy it hits and where it is going then.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded