Skip to main content
InakiGmail
InakiGmail
New Member
February 16, 2022
Question

Share resources between vpn client

  • February 16, 2022
  • 10 replies
  • 6123 views

Hi,

 

We have a vpn site with a Fortigate 60F. We want to share folders and access to applications between some users connected by vpnssl. We added a rule that all clients connected to net VPNSSL_NET, network vpn, have access to same network in all servicies. But when we do, for a example, a ping between clients connected by vpn, it fails.

Do you know how to do to access to shared resources?

 

Thank you,

 

10 replies

fiesta
fiesta
New Member
February 16, 2022

Hi,

 

First, check the firewall policy, in and out interface should be ssl.vdomname interface.
Seconds, disable client built in firewall, ex: windows firewall (pub/priv), UFW (linux).

InakiGmail
InakiGmailAuthor
New Member
February 16, 2022

Hi,

 

I think that it is how we have and it doesn't works.

Iaki_0-1645047288725.png

Thank you,

fiesta
fiesta
New Member
February 18, 2022

Try pinging your VPN client ip from fortigate, if doesn't work, check vpnclient firewall status (windows firewall or UFW), it should be turn off. Try disable NAT as well.

 

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 16, 2022

Two things I can think of that would prevent this even the vpn-vpn policy is in place:

1. No route on the FGT for client IPs(subnet)

2. Client IPs are NATed by the policy (the image is cut off before the NAT portion).

 

Try pinging a client from the FGT while running sniffing and then flow debug. For flow debug you might need to ping from a LAN connected device.

 

Toshi

InakiGmail
InakiGmailAuthor
New Member
February 17, 2022

Hi,

 

If we disable Nat in that rule, nothing changes. How we ping from the Fortigate?

 

Thank you,

 

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 18, 2022

From CLI, "exe ping <client_IP>".

But do you have static route for the super-net of all client IPs toward ssl.root interface? If you're using the default range SSLVPN_TUNNEL_ADDR1=10.212.134.200 - 210, at least you need to have a route for 10.212.134.192/28 to ssl.root.

 

I would remove NAT since I assume you never configured IP for ssl.root interface so if it's NAT(SNAT)ed, I'm not sure what source IP the FGT picks for those packets between clients. Without NAT, everything is between source client IP and destination client IP. So you can set filters for your sniffing to observe ping traffic.

ede_pfau
SuperUser
ede_pfau
SuperUser
February 19, 2022

@Toshi_EsumiI think, NAT on unnumbered interfaces just does not NAT at all. I'll have to check that but I'm quite sure I've seen that happen on a VPN link.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 19, 2022

Thanks Ede. I should have tested it while sniffing to see the effect of NAT.

 

Toshi

ede_pfau
SuperUser
ede_pfau
SuperUser
February 19, 2022

and I should be sure from what I've seen debugging this week. Which address should NAT use anyway if 'use interface address' is selected and there is no IF address assigned? The most reasonable choice IMHO would be not to use any address at all in this case.

InakiGmail
InakiGmailAuthor
New Member
February 24, 2022

Hi,

 

Sorry for my late response. We add a new route, but we still can't do ping between vpn clients.

Iaki_0-1645725354697.png

We guess we do the static route wrong.

 

Thanks,

I

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 24, 2022

It does look ok to me if that subnet is actually the range the FGT is handing out to the client. You need to sniff it at the FGT when you send ping packets from a client.

Are you split-tunneling? Then that subnet needs to be included in the networks for the split tunneling as well.

 

Toshi

InakiGmail
InakiGmailAuthor
New Member
February 24, 2022

Hi,

 

It works!!! We forget to disable nat in the policy.

 

Thank you very much!!!

I

Terms & ConditionsAccessibility statement