Skip to main content
Digerati
Digerati
New Member
February 11, 2011
Question

VPN to Multiple Vlans

  • February 11, 2011
  • 4 replies
  • 5375 views
Hi, and thanks for any replies. I have a fortigate configured with Multiple tagged Vlans on internal interface. So far any user on any vlan can communicate with the internet no problem. I have configured PPTP VPN to one of the Vlans, but How can I configure routing to allow VPn user to go to any Vlan Interface. If I route Add on the VPN PC I can get to the VLANs, But How do I configure so the user does not have to add manual routes? Vlan(10) 10.243.30.0/24 ->|->internal - >Wan1 Vlan(20) 10.242.57.0/24->| Vlan(30) 10.212.67.0/24->| Thanks

    4 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    February 11, 2011
    Hi, AFAIK there is no routing table for a PPTP connection. Just the one route for the destination network. You could either supernet all VLANs (i.e. target network is 10.212.0.0/12) which is awkward, or use client-side routes (if connecting to VLAN10, then ' VLAN20 is routed via 10.243.30.1 (= FG)' and similar for VLAN30).
    Digerati
    DigeratiAuthor
    New Member
    February 11, 2011
    Thanks Ede, So will Ipsec work then, if I add rip to the Vlans with FW rules for each Vlan to VPN and VPN to VLAN?
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    February 11, 2011
    That could be a way. For IPSec VPN, use the Interface mode (as opposed to policy-based VPN) when you create the tunnels. The tunnel then is just a port like other ports. You can use static routes or RIP for it. As the topology is not that dynamic I personally would go with static routes. There are 2 places where multiple subnets come into play: - the quick mode selectors in phase2 - the policies For phase2, you need to define the QM selectors using address groups. You can do that from the CLI only. Would be worth a try if you can make it work with a wildcard QM, i.e. ' 0.0.0.0/0' . Policies are easy: you need one ACCEPT policy from ' tunnel' to ' VLANx' for each VLAN. For a dial-in VPN you don' t need a static route back to the tunnel, it will be created on the fly. On the remote side, assuming you use Forticlient, enter all VLANs into the ' network behind tunnel' field. That will create the routes when the tunnel connects.
    Digerati
    DigeratiAuthor
    New Member
    February 11, 2011
    wow, Thanks for the prompt reply, I will try that out and let you know how I make out. Just wondering, you said " That could be a way" Would you recomend something else that might be better? Thanks Paul
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    February 11, 2011
    No, not at all. I was just surprised that you were able to give up the PPTP VPN so quickly. My experience with PPTP is that these few hardliners who still stick to it will never accept any excuses to switch over to IPSec. Besides, getting the ' multi-subnet' VPN going is not that plain simple, but it' s doable.
    Digerati
    DigeratiAuthor
    New Member
    February 11, 2011
    ah, technology changes too fast to be stubborn. Besides, it a great reason to pitch my clients on buying the forticlient for end points, yes? Thank you for the great advice.
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    February 11, 2011
    A valid point. Good luck with the config, and I' d love to see you back on the forum with how it went.
    Terms & ConditionsAccessibility statement