Troubleshooting Tip: Unable to reach remote subnets when connected to IPsec VPN FortiClient Remote Access

jera · ‎11-05-2024

Description

This article describes an issue when a user is unable to reach remote subnet when connected to IPsec VPN FortiClient Remote Access due to redundant Group configuration.

Scope

FortiGate.

Solution

There are two ways to configure a user group in a Remote Access Dial-up connection.

Inherit from policy. In this method, the user group is configured under the IPsec dial-up firewall policy. The advantage of this method is it allows the administrator to set multiple user groups for a single traffic flow or policy.

IPsec Phase 1 Configuration:

Firewall Policy Configuration:

Configure the User Group under IPsec VPN phase 1 configuration. When using this method, only one group is allowed to be configured. No need to configure the user group under the firewall policy.

IPsec Phase 1 Configuration:

Firewall Policy Configuration:

A problem will arise when the user group is defined on both firewall policy and IPsec phase 1 configuration. The IPsec traffic will not match the correct policy and will hit implicit deny.

To diagnose the issue, the administrator needs to run a debug.

diagnose debug flow filter saddr X.X.X.X <----- Specify the VPN IP assigned to the user.
diagnose debug flow filter daddr Y.Y.Y.Y <----- Resource on remote LAN.
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug flow trace start 500

The debug flow output will be like this:

To fix the issue, make sure to follow the guidelines above and configure the user group on either phase1 configuration or firewall policy only.