Site2Site VPN access for remote users possible?

Question

Hi All, I'm a new Fortigate user.I just deployed a Fortigate 40F and 60F on two different sites today. I created a site-to-site IPSec VPN connection between the 2 sites. I also create a dialup (remote) VPN connection for the FortiClient on the Fortigate 40F.All these things work perfectly, however I would also like the remote users to be able to use the site-to-site VPN connection. The subnets in question are 192.168.49.0/24 on the 40F and 192.168.48.0/24 on the 60F. I would like to be able to access the 192.168.48.0/24 subnet when connecting to the 40F using the FortiClient VPN. I configured the dialup connection to use split-tunneling so only traffic to those 2 subnets go over the VPN connection. This works as expected, I see the routes in the Windows routing table: 192.168.48.0 255.255.255.0 10.10.2.3 10.10.2.2 1 192.168.49.0 255.255.255.0 10.10.2.3 10.10.2.2 1 I can access 192.168.49.0/24 just fine, but I cannot access anything on 192.168.48.0/24. I create a policy to allow traffic from the remote (dialup) VPN connection to the Site-To-Site VPN connection, but that doesn't make any difference. Is there something I am forgetting or is what I want just not possible?

ede_pfau · Accepted Answer

Hello,and welcome to the forums.Good work so far. You've got 3 routers involved, so you need 3 sets of routes as well. One on the PC with the FortiClient, one on the 40F and the third on the 60F. As each router has 2 neighbors, you will at least need 2 routes on each (more if you need to cover internet access). Imagine yourself being on each router, and ask yourself how to reach each remote network. There needs to be one route for each. For example, on the 60F, you need to reach the 40F's LAN and the PCs LAN, even if it was for reply traffic only. As the site-to-site VPN is routing properly, the 60F will be missing a route to the PC's LAN. Applying RPF (reverse path check), it will discard incoming traffic from an unknown source as long as it doesn't have a route for it. Now, if you plan to let dozens of people connect to the dial-up VPN, how do you determine their subnet addresses at home?Well, you don't have to. Configure DHCP over IPsec from a subnet you choose, assign one address from it to every host connecting, and create routes for this client subnet. (Just in case you were about to ask.)And, as a FGT is not only a router but a firewall as well, one need policies in addition to routes.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded