Skip to main content
alihmp2005
alihmp2005
New Member
August 3, 2022
Solved

Remote SSL VPN User cannot see other branches.

  • August 3, 2022
  • 2 replies
  • 3752 views

Hello Guys,

 

I have configured this network in my laboratory(Please see the photo) Toplogy.png. I have two Fortigate 7.2 and both Fortigates are connected through a Site-To-Site VPN Tunnel(I created by IPSEC Wizard) and also I have configured SSL VPN Tunnel mode and my remote user is connected to Fortigate 1 with Public IP 1.1.1.1, now the problem is that Remote VPN user can only see the Client 1 and cannot see the Client 2, what can be issue? or do you have any training material for this topology? 

Thanks in advanced,

Ali 

Best answer by vdralio

Dear @alihmp2005 ,

 

Please check the articles below they will help you resolve the issue:

 

https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/45836/ssl-vpn-to-ipsec-vpn

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Forward-traffic-originating-from-SSLVPN-into-IPsec/ta-p/194159?externalID=FD46652

 

Best Regards,

Vasil Dralio

2 replies

vdralio
Staff
vdralioAnswer
Staff
August 3, 2022

Dear @alihmp2005 ,

 

Please check the articles below they will help you resolve the issue:

 

https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/45836/ssl-vpn-to-ipsec-vpn

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Forward-traffic-originating-from-SSLVPN-into-IPsec/ta-p/194159?externalID=FD46652

 

Best Regards,

Vasil Dralio

alihmp2005
alihmp2005Author
New Member
August 5, 2022

Thank you so much, I found the problem, I didn't add the Remote VPN IP IP Range in the routing and policy, I added it and problem solved.

sw2090
SuperUser
sw2090
SuperUser
August 3, 2022

well I would first check the routing table on the remote user client. It has to have a route to the subnet where Fortigate 2 and Client 2 are in. Or the default route has to have FortiGate 1 as gateway (which would mean that all of remote user's internet traffic would go over the vpn and hit FortiGate 1. I would not recommend that).

That is because the routing table is the first thing that is looked at to find a way to the destination. And that way is either the default route (because it matches anything that is not matched by any other route) or a static/connected route.

Then FortiGate 1 has to also know a route to FortiGate 2 subnet plus also has to have a policy that allows traffic from vpn to Fortigate 2 subnet.

And last but not least FortiGate2 has to have a route back to your vpn and  a policy to allow traffic to flow.

Terms & ConditionsAccessibility statement