Explorer

Question

Unable to access LAN Using IPSec while connected to the Guest WiFi

Forum|Forum|1 year ago
January 23, 2025
6 replies
4239 views

I'm having an issue with devices accessing internal netowrk equipment using IPSec VPN and connected to the Guest WiFi of the same Firewall we're trying to remote in.

Some details about the setup, we have a firewall in place and we're broadcasting LAN and Guest WiFi SSIDs.

The Guest WiFi is isolated and can only reach the internet with some webfiltering and ssl inspection.

Devices that are connected to the Guest WiFi cannot communicate with the LAN Network, setup by a Firewall policy.

Dialup IPSec VPN has been setup so the remote users can access a spesific server to the internal network (LAN).

This is working as a charm when we're using mobile hotspot or another ISP connection outside the office's building.

The problem is when we're at the office we have some personal devices we have to connect to the Guest WiFi for security purposes and althought we're able to esablish a connection using our Dialup IPSec VPN our computers cannot reach the spesified server on the internal network.

Looking on the logs, we found that the traffic is directed throught the Guest WiFi instead of the IPSec VPN Tunnel.

We have tried the same setup on mutliple FortiOS Versions from 7.2 all the way up to latest.

On the client side, we're using FortiClientVPN on the latest version. We have also tried a couple versions back.

Is there anyone experiencing the same issue ?

Any thoughts on what should be going wrong ?

!Disclaimer! I know we can put a firewall policy to allow access from the Guest WiFi to the server on the internal network but, that's a cerious security vulnerability.

srajeswaran

Staff

On you VPN setup, which route are you pushing to clients? Are you pushing specific route for the protected resource or a default route to force all traffic to go via VPN (dst-subnet under config vpn ipsec phase2-interface)

You mentioned the logs indicating traffic coming via GuestWifi instead of DVPN, mostly due to the same route active system is using Wifi instead of tunnel route.

gstefouAuthor

Explorer

The dst-subnet on ipsec phase2-interface is 0.0.0.0\0.0.0.0.

Do you think we have to static this out to look on the internal network subnet ?

srajeswaran

Staff

Yes, 0.0.0.0 means the client is getting another default route. Change to a specific subnet for the protected resource and then test the connection.

AEK

SuperUser

It looks like a routing issue on your client host.

There is probably a route on your guest client that is forwarding traffic destined to your server through the WiFi's gateway.

AEK

gstefouAuthor

Explorer

AEK,

I tried the same on another laptop i had with the exact same setup and it was having the same problem again.

You are right, all the traffic from the computers for some reason gets forwarded from the Guest WiFi gateway.

I looked on the route table on both of the computers and i saw that the VPN tunnel creates the routing rules properly with the appropriate metrics.

For instace, a rule has been create to look on the internal server ip - using the correct gateway and metric is 1.

From what i know that means that this routing rule get's the hignest priority, correct ?

AEK

SuperUser

Hi gstefou

If you share the routing table maybe we can help. You can hide sensitive IP addresses if any.

AEK

Ion_24

New Member

Hi,
You must create a policy to allow traffic from the VPN interface to LAN interface.

Example:
config firewall policy
edit 5
set name "vpn_VPN_to_LAN"
set uuid cc54f352-c5a6-51ed-9706-68ag0f33c85b
set srcintf "VPN_Tunnel Interface"
set dstintf "internal1(LAN)"
set action accept
set srcaddr "VPN_Tunnel Interface(Subnet 192.168.100.1/24)"
set dstaddr "LAN (subnet 172.16.0.0/18)"
set schedule "always"
set service "ALL"
set ip pool enable NAT
set pool name "VPN-NAT-LAN" type Overload ,172.16.5.59 - 172.16.5.59 "

set comments "VPN: VPN access to LAN Interface"
next
end

I think this will help you!

gstefouAuthor

Explorer

Hello,

The policy from the VPN to LAN have been created since we configured the VPN.

Everything is working properly when we're using our mobile hotspot or any other network connection except the Guest Network of the Firewall.

AEK

SuperUser

I guess 172.17.1.0 is the remote network to which you are trying to access.

On the routing table I see only three hosts in this network (.1, .10 and .20) that are forwarded through the tunnel.

So you confirm your traffic to these three specific hosts is sent to the default gateway instead of being forwarded through the tunnel, right? Is this confirmed by a diag sniffer command on your FGT?

AEK

gstefouAuthor

Explorer

Yes, that is what's happening.

We have confirmed it with diag sniffer commands on the Firewall.

AEK

SuperUser

I remember one day I noticed the same behavior with FortiClient 7.4.0 (licensed version), but I didn't investigate more since the VPN was not needed when we were in local network.

So is it possible that FortiClient somehow disables the VPN interface when it knows that it is directly connected to FortiGate? I hope some more experienced user can inform us on this behavior.

AEK

gstefouAuthor

Explorer

We're using FortiClientVPN (Free version) 7.4.2 (latest version) at the remote endpoint.

If any experienced user can provide some clarity on the case, that would be wonderful.

vvtyukay

New Member

Do you solve this problem? We have the pretty same situation.

gstefouAuthor

Explorer

After communicating with Fortinet TAC we have been told that it's built by design to work like that. The problem on the occasion is that there isn't any policy allowing traffic from the Guest Wi-Fi to the desired LAN devices.

When your device is connected on the Guest Wi-Fi network of the same Firewall you're trying to VPN in all the traffic get's filtered by the local Firewall Policy instead of the VPN Policies you have created.

I have noticed that some Apple computers are not falling under that rule, i guess it has to do with the NIC behavior of the Apple computers. Can't really explain that. It was an unusual request for us so we just accepted that this shouldn't and will not work.

An idea that may work for you, create a new seperate Wi-Fi SSID with strong passphrase that allows traffic to the desired LAN devices and ONLY (maybe add the WAN zone too, so they can access the internet) and have the end user connect their device(s) there. This way you will have a seperated Wi-Fi that you can control the devices connected to it plus, the internal network devices they will have access to.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded