Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
theo_smith
New Contributor

FortiClient VPN android traffic not routing through SSL VPN

Hi everyone,

 

We have a FortiGate VM setup for a client on which i have setup an SLL VPN for them to update some tablets which need to connect to a Program they have running on their server.

 

The VPN connects without a problem, but once connected the traffic on the tablet does not route through the VPN.

 

I was thinking of a problem with the config on the forticlient, but having tested it on a Samsung S10 the same thing happens, VPN connected but no traffic through it.

 

Is there a setting I may have missed somewhere in the SSL-VPN settings on the FortiGate?

 

Thanks for your time.

7 REPLIES 7
brycemd
Contributor II

well, it could be a number of factors.

 

1. Did you setup a ipv4 policy to allow traffic from sslvpn to lan interface

 

2. Does the program require internal DNS resolution? Did you set internal DNS server?

 

3. Did you set the client routing in the SSL VPN Portal so the client knows what subnets to route(if it's split tunnel)

theo_smith

Hey, thanks for the reply.

 

1 - Yep i have a policy setup to allow it on the lan interface

 

2 - The program requires no DNS resolution it's going straight to the internal IP of the server

 

3 - Split tunneling is deactivated as the tablet only needs to connect for 2mins to update the DB of the program then can be disconnected from the VPN.

So i just thought i would send it all through the vpn since internet access will not be needed while connected to the VPN

brycemd

The only other thing I can think of would be verifying the client is getting a valid IP while connected.

 

Beyond that I'll need some screenshots/output of config

theo_smith

The client is getting an IP from the IP range I setup for the VPN.

 

I'm quite new with the fortigate, i'm guessing there is a CLI from which i can get the output, otherwise i can grab some screens, what would you need ? I'm guessing screens of the policies and SSL settings.

 

I'll post them tomorrow, thanks for the help

brycemd

Yea, screens of the SSL settings, SSL Portal, and ipv4 policies

theo_smith

Hey sorry for getting back so late, had some work friday.

 

So here are the screenshots :

(GIMI is the name of the program/server)

 

The IPv4 Policy letting the VPN ip range to access the server subnet  :

 

SSL Settings :

Portal settings :

 

brycemd

Everything I see seems correct. The only things I guess I can think of, just because I can't see it, is verify the interfaces on the ipv4 policy are ssl.root to the correct interface the server is on.

 

As well, verify in the SSL Settings that the group VPN_GIMI is assigned to the correct portal.

 

 

Edit - I guess just for the sake of verifying everything. What are the objects SSL_ACCESS and GIMI_RANGE_SSL_VPN for? Based on the SSL Settings it's assigning IPs based on the default object SSLVPN_TUNNEL_ADDR1

 

Actually thinking about it a bit more, that may be the problem. If you remove SSL_ACCESS from the IP Pools(or remove the default one and add SSL_ACCESS to the ipv4 policy) it should work.