Hello,
I tried several VPN setting and have a lot of problem with all of these.
The requirements are many:
* Navigate through the local gateway (Split tunneling)
* Communicate from lan to remote clients
* Communicate from remote clients to lan
I have created finally a VPN for FortiClient, following the Wizard, and using split tunneling.
From the fortigate, I can ping to everything.
From a remote device, I can ping to local device
From a local device, I cannot ping to remote device.
The wizard just created for me a rule, which allows traffic from VPN clients to Local Clients, with the NAT enabled
I created the reverse rule, to allow everything from lan to VPN clients (using the VPN interface as outgoing interface, and using the VPN range as destination addresses), I tried with and without NAT, just in case, still the same: ping to remote devices never returns
Any idea?
Thanks in advance.
Regards,
Damián
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I meant what you already have.
I never had this case myself. I mean I do have various IPSec Tunnels with dial up Forticlient and split tunneling and several local subnets. But I never needed to communicate from local to vpn client.
To just be able to get a ping reply or so you just need a route and policy for the driection vpn=>local subnet.
I don't need local clients to communicate with vpn clients.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Maybe i am wrong but remote devices does not have a gateway, so the answer cannnot be routed
Orestis Nikolaidis
Network Engineer/IT Administrator
Hello and thanks,
Is there another way to accomplish the 3 requirements between a Windows device and a Fortigate?
* Navigate through the local gateway (Split tunneling) * Communicate from lan to remote clients * Communicate from remote clients to lan
Without split tunneling, I will have a gateway, but I will force users to access Internet from the fortigate, which is not desired (poor performance, I dont need to users in another country come to my router to open any web page)
With site to site VPNs should work, but I dont have a fortigate in remote sites.
Any other idea?
Thanks,
Damián
Hello, thanks for your response.
What do yo mean with "did you include the remote subnet?"?
For example, if a remote user (forticlient user) has 192.168.50.0/24 in his local subnet, should I include this subnet? Where?
It is weird, because, maybe I dont know all subnet where the users will connect with forticlient
I have included all local subnets in the split tunneling (In a group)
Also allowed everithing between "VPN->Internal1" and "Internal1->VPN"
In the remote PC I got routes for the local network, using the IP on the VPN adapter, and this IP is reachable
I will chech with other VPNs maybe.
Thanks
Regards
Damián
I meant what you already have.
I never had this case myself. I mean I do have various IPSec Tunnels with dial up Forticlient and split tunneling and several local subnets. But I never needed to communicate from local to vpn client.
To just be able to get a ping reply or so you just need a route and policy for the driection vpn=>local subnet.
I don't need local clients to communicate with vpn clients.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Ok, I did not find a way to accomplish this
I am trying now to create a L2TP+IPsec tunnel in another device (Not fortinet), inside the local network.
So, I need to forward all L2TP+IPsec traffic to the local IP
I think I should re-direct UDP port 500, 1701 and 4500 (No problem with this)
Also need to re-direct all esp/ah protocols traffic, which I think it is no TCP nor UDP (a different protocol)
How do I re-direct this protocol?
Thanks
Regards
Damián
Ok, I just realiced about the following:
- With the SSL VPN for FortiClient, if I disable split tunneling, it works: I can access from remote to local computers and from local to remote computers.
- I re-enable split tunneling and I stop pinging from local to remote computers, I still can ping from remote to local computers
- I tried by selecting many options in "Accessible networks", in the split tunnel section, no luck
- It is still required to navigate through the local gateway
Anyone know what could be happening here?
Is there other way but split tunneling?
I apreciate any help.
Regards,
Damián
Hello,
I finally solved by myself
Solution:
1- Make a Forticlient VPN tunnel following wizard (this creates an interface based vpn)
2- Enable split tunnel during the wizard
3- Set IP to the VPN interface (In the same subnet than VPN clients, different subnet than each other), through cli, because the interface does not shows in system->network->interfaces
4- Set remote-ip to the VPN interface, also by cli (same than ip address)
5- Wizards create 1 rule for VPN -> Internal, I needed to create the reverse rule: Internal -> VPN
6- Added a blackhole route to the VPN clients subnet with low priority
The 6º step solved the issue, with this I can access from local network to remote devices too.
With this I could accomplish my 3 requirements: Access through the VPN in both ways and navigate through local gateway
Check two things:
you enabled split tunneling but did you include the remote subnet? You need to do that because as Orani and you wrote with split tunneling you don't have a gw/defaut router via vpn. So you need a route for each subnet or host you want to reach via the vpn.
Best practice btw is to create an address group object and put all subnets/hosts you want to be able to reach via the vpn into this group. Then enable split tunneling and set it to this address group.
Second: check if you have all required policies! Also mind the order of the policies. FGT are FiFo for policies. The first one that matches the packet wins it :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.