SSL VPN to local lan issues

Forum|Forum|2 years ago
October 17, 2023
2 replies
1731 views

I have the SSL VPN configured and am connecting in to my local lan. I get an ip assigned 192.168.10.10 with my tunnel interface and my local lan i have a machine that is on 192.168.10.11. when connected to the vpn the machine on the local lan can ping my tunnel ip at 192.168.10.10 from 192.168.10.11 however my tunnel'd machine cannot ping the 192.168.10.11 box. if i unplug that machine and connect directly to the lan without the vpn tunnel. my machine gets the 192.168.10.10 address again and the two can ping back and fourth. I have a rule in place for policy object ssl.root (Tunnel) to destination LAN allow all. doesnt seem to take. On the lan connected howst 192.168.10.11, I dont see the traffic ever get there with a tcpdump. so something is keeping the traffic from anything on the 192.168.10.0/24 network when connected over ssl-vpn. Help would be appreciated. Using a Fortigate 50E

FortiGate

dbu

Staff

HI @tomcat7810 ,

Can you ping the default gateway from PC 192.168.10.11?

tomcat7810Author

New Member

Yes and that ping goes through without issues.

dbu

Staff

Is NAT disabled on the policy ?

Can you take 'diag sniffer packet' from Fortigate in order to see what is happening with those packets, when user is connected through vpn (assigned ip 192.168.10.10) and tries to ping the 192.168.10.11.

You can also be more detailed 'diag sniffer packet ssl.root "icmp"'

tomcat7810Author

New Member

nat is disabled on the policy, when running this command "

diag sniffer packet ssl.root 'not port 443'

We can see the packets entering the ssl.root interface but when we look at the lan interface we do not see it there. it seems to never leave the ssl.root interface to get to the lan. We see syn packets on the ssl.root interface but nothing ever leaves that interface from what I can tell.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded