VPN User Can Ping VLAN Gateway but Cannot Reach Servers Behind FortiGate

Question

Network ScenarioI have a router that terminates VPN connections and a FortiGate firewall behind it. Behind the FortiGate, an internal VLAN contains multiple servers.VPN users can successfully connect to the router-based VPN and get an IP address. After connecting, the user can ping the VLAN gateway interface on the FortiGate, but cannot ping or SSH to the actual servers inside that VLAN.Current ConfigurationOn the Router:Static route added for the internal server network pointing to the FortiGate.On the FortiGate:IPv4 policy created to allow traffic from the VPN subnet to the server subnet.NAT is disabled.Problem DescriptionVPN users can reach the FortiGate VLAN interface IP (gateway).VPN users cannot ping or SSH to any individual servers in that VLAN (request timed out).What I’m Trying to UnderstandCould this be a return path issue from the servers?Do I need additional static routes on the FortiGate or on the servers’ gateway?Question to CommunityWhat configuration is typically required in this type of setup so VPN users can reach servers behind the FortiGate when VPN terminates on an upstream router?

funkylicious · Answer

you can confirm that the traffic from VPN client reaches a server via wireshark or tcpdump ?

on them, if you have a default gateway ( 0.0.0.0/0 ) towards the FGT VLAN interface, it should be enough.

on the FGT you need to have a return traffic/route towards the router VPN for the subnets.

you need to confirm that when connecting to the VPN the client receives either specific IPs or subnets to access ( if not full tunnel is enabled ) .

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded