Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Cglobal71
New Contributor

Access Multiple network throught IPSEC VPN forticlient

Hello,

 

I have a question, can I access to multiple network throught IPSEC VPN forticlient. There is the schéma infrastructure:

 

LAN A --------------FGT A----------------VPN IPSEC site to site--------------------------FGT B-----------------LAN B

192.168.1.X/24       192.168.1.1                                                                 192.168.2.1               192.168.2.X/24

                                 |

                                 |

                                 |

                                 |

                          IPSEC VPN Forticlient

                          192.168.3.x/24

 

VPN site to site working normally

When I am connected to VPN Forticlient with IP address 192.168.3.10 (For Example), I have access to network 192.168.1.0/X,

but i have no access to network 192.168.2.X/24.

I try to have somes policies, routes, etc.., still not working.

 

Any ideas on the question

 

10 REPLIES 10
Toshi_Esumi
Esteemed Contributor III

There are many posts for similar situations, vpn to vpn, hub and spokes, etc. in the forum you can search. FortiClient wouldn't make much difference. In the end, all come down to three key issues: 1) phase2 network selectors, 2) routing over the tunnels, and 3) FW policies, at each node.

If you're confident about these, what you need to do is sniffing and "flow" debugging at each FGT. But almost sure you're missing one or two in the thee keys.

jorge_americo
Contributor

On the workstation with forticlient as this is the routing table? In the second phase of ipsec, which network did you define?

NSE-4

NSE-4
hubertzw
Contributor III

It wasn't in your post but you connect to FG-A, right? Does the phase 2 include both subnets: 192.168.1.0/24 and 192.168.2.0/24? Do you have a policy for remote users who connect FG-A and then connect via s-2-s tunnel to location B?

Cglobal71

I Can connect to FG-A. No phase 2 not include subnet 192.168.2.0/24. I can't and this network on GUI. I must use CLI?

hubertzw

Can you show your config? There are too many settings to guess:

- split horizon - do you have this feature on?

- is there any firewall policy for user from SSL.root (or any vdom you have) to the IPsec interface?

As Toshi Esumi said in previous post you are missing one of these mandatory components (or more):

a) phase 2 selectors (you will not get the route for 192.168.2.0/24),

b) firewall policies on both end (FG-A and FG-B),

c) routing - I think the routing on FG-A should be fine but make sure on site B they know how to send traffic back, based on your source IP

sw2090
Honored Contributor

You could do the way I do here:

 

- I have a site2site IPSEC vom HQ to Shop

- Phase2 selector is on 0.0.0.0/0.0.0.0 (that's the FGTs default btw)

- Client here uses HQ FGT as default Gateway

- then you do not need split tunneling or routes on the client (execpt from the default route)

- HQ FGT has routes to Shop Subnets and Shop FGT has a route back to HQ Subnet(s) that need to access the SHop subnets.

- both FGT have Policies to allow the traffic as needed. 

 

works fine here.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
ede_pfau
Esteemed Contributor III

If you put the default route on HQ all of your traffic goes to HQ. That has disadvantages:

- for internet access, an additional policy in HQ is needed

- you cannot use your local LAN anymore, e.g. printer or NAS

 

So, rather enable "split tunneling" on the FC and define the routes to 192.168.1 and 192.168.2. This will take care of the routing on the client. @Toshi has already mentioned the other prerequisites.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
sw2090
Honored Contributor

@Ede: yes it does but for clients that reside at HQ it has to do so anyways so don't matter as the FGT does HQ's Internet and all other traffic too ;) And yes clients at HQ can still use HQ LAN then ;)

As long as you don't produce overlapping subnets you will always be able to use your local lan because local lan traffic does not use the default route but the net route over your lan interface ;)

 

I do use split tunneling on our dial up Ipsec indeed because I don't want internet traffic to go to HQ there ;)

It depemds on pur network architecture and use cases what is the best for you to use anyways...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
iorlov
New Contributor

Hi all

 

Cglobal71, if you are still looking for a solution, you'll need to specify a group of networks (because only a single selection is possible under this option) you want to access through a VPN client in your IPsec policy under 'Accessible networks", and then customize your firewall policy related to this IPsec connection like this:

 

incoming interface: 'your vpn interface' (already specified by wizard)

outgoing interface: 'any' (you can specify 'any' only through CLI)

source: 'your vpn-range' (already specified by wizard)

destination: 'a group of networks you want to access' (the same group you specified in IPsec policy)

 

You can use NAT or not.

 

So that's all you'll need to change. But before customizing check if you are able to connect with a forticlient using your tunnel, because if it doesn't work from the start, you'll never make it work in the future.

 

Best regards

 

Labels
Top Kudoed Authors