DescriptionThis article describes how to allow one dialup IPsec VPN client to communicate with another dialup IPsec VPN client.SolutionRequirement to allow communication between two dialup IPsec clients is rare. In that scenario, achieve it by following four steps:
1) Configure the dialup IPsec VPN as per the following link:https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/589121/ipsec-vpn-with-forticlient2) Change the IPsec client range subnet mask to /24 or /16 from /32 (255.255.255.255) which is default config.
3) Under split tunnel go to Accessible network, add the address of this client IPs range with address type as subnet of /16 or /24. (without this is not able to be added as a subnet into the clients).
For this create the new address object with the subnet type.
For example, the 10.10.10.0/24 (where 10.10.10.0/24 is the client IP range).
Add it to the address group of accessible network (in example: dailup_split).
4) Finally configure the IPv4 policy between same source and destination address and same VPN virtual interface as incoming and outgoing interface.
Example: Policy and Object -> IPv4 policy and select 'Create New'.
And then client can communicate between each other doing simple tests like below.
Check ping between clients:
Check packet sniffer:
Check debug flow:
Also need to remember and it is very important, do not put a range on the split tunnel address for dialup clients, create a new firewall address and add it into the group address of the split tunnel.
If the subnet is not used, it will not be added on the routes of the dialup clients.
Check the routing table on the units to check if the route is added.
The difference is like below:
Technical Tip: Enable split-tunnel For IPsec VPN
Technical Tip: Enabling split tunnel feature for SSL VPN
Technical Tip: How to perform routing between SSLVPN Clients
Technical Tip: Forward traffic originating from SSLVPN into IPsec tunnel