Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Khuong_Nguyen
New Contributor

Can connect to SSL VPN with FortiClient, but no access to internal network

Hi Everyone,

Currently, I am using Firewall Fortigate 100D. From another remote computer I connect to the VPN, I can connect but I cannot access the local network.

If you use another wifi network, you can access the internal network. 

When I checked the connection, I found it only reached the WAN IP of Fortigate. Without seeing the IP gateway.

Please give me a solution.

Thank you very much.

3 REPLIES 3
sw2090
Honored Contributor

hm for this we need some more info.

 

Did you enable split tunneling on that VPN?

If not this will set up a second default route on your client upon dialling in successfully.

Accoarding to the metric of the default routes this may result in what you get (or not get).

Because lowest metric serves first traffic to your internal subnet that shuld go over the vpn might take the wrong way and so will not reach its destination.

If you enable split tunneling your client's default route will not be touched and a static net route for every subnet specified in split tunneling on the FGT will be rolled out upon dialling in. This is unique then and cannot go wrong way.

 

you could check this either by deleting your default routes and then set only one up for the tunnel - or manually add a net route for the internal subnet on the client with correct gateway.

 

I enountered this several times while setting up vpn ipsec tunnels during the last weeks especially on windwows clients.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Toshi_Esumi
Esteemed Contributor II

In case split tunneling, the first thing you need to check is if the client machine pulled the internal network prefixes into the routing table, or not, in order to isolate the issue either at the FGT side or the client side. With Windows, "route print", with Mac, "netstat -nr".

isamt
Contributor

First thing you should check is that you have a rule for interface ssl.root to your Lan interface

 

If you want all Vpn users traffic, including Internet browsing to pass over the tunnel then do not enable split tunnelling.

If you want Vpn users to be able to use their local Internet line for browsing then you will need split tunnelling.

 

In your case believe issue is you have no policy configured to allow the vpn client access to your lan