Skip to main content
kaspervb
kaspervb
New Member
March 26, 2020
Solved

VPN routes are not advertised to client.

  • March 26, 2020
  • 1 reply
  • 3158 views

Hi all,

 

My setup(in basics): I have multiple Fortigate SG60, they are different physical locations. I configured a site-to-site IPsec VPN between the Fortigate SG60 in the DC to all sites. Which works fine (as far as I know). Lets call DC site A.

 

Site A:

I have a MGMT vlan and within this VLAN multiple VMs reside. It is possible to ping from a VM in site A to site B. In other words, to ping the other side of the VPN tunnel.

 

I also have a dial-up VPN from my laptop to site A. Which works fine. From my laptop it is now possible to enter the MGMT network. Also it is possible to ping site B over the VPN. The routes are advertised.  So far so good.

 

Now the problem, I recently added site C. A new Fortigate on a different physical location. IPsec site-to-site works fine. Also it is possible to ping site C from a VM in the mgmt network in site A. What is not possible: to ping site C from my laptop (that is connected with the dial-up VPN).For some reason the route to this site are not advertised by fortigate. When I start a traceroute frrom my laptop it just tries to find site C on the public internet... 

I added the same firewall rules and static routes as for site B (which is accessible from my laptop).

 

Now my question to you: does anyone have an idea what could be wrong? What kind of information(configs, tests idk) would you like to see in order to the a grasp of the problem.

 

If someone has a clue please share it with me!

 

Kind regards,

Kasper

    Best answer by bdavies

    I've had some similar troubles due to network numbering. If the local network you're connecting from matches the destination network i.e. both are 192.168.1.x, routes do not work properly. It tries to contact the local LAN gateway as you describe. The only fix I've found is to change the local network's numbering. In our case, it was the remote user's home LAN. Just adjusted their DHCP settings. Ideally, I will move our company network over to something less common in the future to avoid this.

    1 reply

    bdavies
    bdaviesAnswer
    New Member
    March 30, 2020

    I've had some similar troubles due to network numbering. If the local network you're connecting from matches the destination network i.e. both are 192.168.1.x, routes do not work properly. It tries to contact the local LAN gateway as you describe. The only fix I've found is to change the local network's numbering. In our case, it was the remote user's home LAN. Just adjusted their DHCP settings. Ideally, I will move our company network over to something less common in the future to avoid this.

    kaspervb
    kaspervbAuthor
    New Member
    March 30, 2020

    Hi,

     

    Thanks for your reply!

     

    My local network is 192.168.0.0/24 network while the remote network that doesnt work (site c) is a 10.100.54.0/24 network.

     

    Site B that does work is a 10.72.7.0/24 network. Strange right? I added for both sites static routes.

    Terms & ConditionsAccessibility statement