New Member

Question

Site to Site VPN combined with VPN client

Forum|Forum|6 years ago
January 17, 2020
4 replies
14935 views

Hi, I do not know if anyone has tried this or that I'm implementing this wrong;

I have a customer with 2 sites with 2 Fortigates, connected with a site-to-site IPSec VPN connection.

At the office:

At site A i have a Domain Controller, users can access data on site B, everyone at the office is happy

At site B i have a Domain Controller, users can access data on site A, everyone at the office is happy

Now users who are outside the buildings:

What we want is that a user connects remotely to site A (using the VPN Client on a Windows system) can access data at site B.

For now they disconnect site A and connect to site B, but can this be done without this step?

I hope you understand what I mean by this?

I've already searched these forums in hope to find anyone with the same setup but am not able to find any cases..

ernest_louie

New Member

Hi Harry - I also have a very similar (almost exact) issue as what you are describing. Site A, B, C are setup as a Hub/Spoke VPN configuration (I believe) - Site-A being the Hub and Site B & C are the Spokes. FortiClients remote into Site-A. These FortiClients can access resources (Servers) in Site-A as well as Site-B, however, they can NOT currently access the resources in Site-C. So, what you are trying to do, is done in this network. However, I need to also have these users be able to access the Server in Site-C. This issue only occurs with my Remote (FortiClient) users. The local users (on the LAN segment) at Site-A and Site-B can access the Server in Site-C.

I am currently, trying to figure this out for my client as well. I am currently trying to understand the behavior when the FortiClient remotes into each site, before I take any action. The FortiClients are on a different IP subnet (ex: 172.16.x.y/24) from the Internal/LAN employees (192.168.x.y/24) , so I will need to debug on how the "good" case works (find out which policies are being used) and apply similar policies/routes at Site-C and Site-A... at least this is my approach to finding out how it works between Site-A and Site-B. I will continue to monitor and post if I find anything. Good luck.

sw2090

SuperUser

side a and side b must have static route to each other and to the vpn subnet (on side b with FGT on side a as gw).

Then you need policies to allow the traffic.

I'd also recommend to enable split tunneling on the dial in vpn because without the complete interet traffic of the client will go through side a.

ernest_louie

New Member

Hi sw2090 - Thanks for your insight on this issue. I have reviewed my configuration and I believe you are correct regarding a return route back to the Remote VPN subnet. I have identified that I don't have a static route at site-C, so I will implement that tonight or tomorrow and post the results. Again thanks!

minh2

New Member

I also have the same problem, I tried many ways to route but it still doesn't work, maybe I'm not doing it right can anyone help me.

minh2

New Member

in the static route:

destination: 0.0.0.0/0.0.0.0

gateway: 0.0.0.0

interface: tunnel vpn site to site

gogomarkni

New Member

several years later, has someone solve this issue?

I have one site to site vpn connected site A and site B.

and outside users use sslvpn to connect site A and both side A and side B could be access well.

but after fortigate update to 7.6, sslvpn feature was not support.

I change to use forticlient (with ipsec) to replace sslpvn, but similar to above situation, the forticlient only can access site A and cannot to site B, even I add static route and firewall policies on both fortigate firewall.

Paz

Visitor III

Yes, I was having the same problems. But I have managed to solve the issue today.
This website was perfect:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dialup-IPsec-traffic-forwarding-to-site-to-site/ta-p/192062

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded