Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SebastianFromCologne
New Contributor

Reach Site-to-Site from Split Dial-up VPN

Hi friends,

perhaps someone can help. I have two Fortigates connected via site-to-site vpn.

From both networks, Site A and B, i can reach the networks.

 

My dial-up users inform me, that they can't reach the site b network. With their dial-up connection, they will be connected to site a. In my opinion, this is based on the split tunnel. The policies are correct, i think. I could imagine, this a problem of a missing route but i am not sure on which position, on the client it self or on the fortigate?

I think the client doesn't know, how to reach the site b network...

When i do a trace i can see that no traffic for the site b network will go through the dial-up tunnel .

 

Do you have any ideas?

 

Best regards

Sebastian

 

5 REPLIES 5
sw2090
Honored Contributor

the client bascially first of all needs to have a route that tells it which way to reach side b network. Split tunneling should push routes to the subnets specified there to your client.

However especially with forticlient I ran into several cases where it simply did not do that in specific pairs for forticlient and fortios versions. Mostly it started working again upon updating forticlient to a new enough version.

So you might ask a user on the dial up vpn to establish vpn connection and then send you the output of cmd command "route print" (on windows) or route -n (on linux) or netstat -rn (on macos x) and see if it has a route to side b subnet with the correct gateway and interface.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Debbie_FTNT
Staff
Staff

Hey Sebastian,

after checking the routing as sw2090 suggested, you could verify what split-routing addresses you have set in the VPN settings on FortiGate.

You should also consider:
-> you need a policy from dial-up VPN to site-to-site VPN

-> if you don't apply NAT in this policy, you need to include the dial-up IP range in phase2 selectors, and add appropriate routing and policies on the remote side

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
vdralio
Staff
Staff

Dear Sebastian,

 

Please take a look at the documentation below for detailed information on how to configure and you can compare it with what you have done until now:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dialup-IPsec-traffic-forwarding-to-site-to...

 

Best Regards,

Vasil Dralio

SebastianFromCologne
New Contributor

Hi sw2090 and Debbie,

i was able to solve my problem. sw2090 i had the same thought that the client doesn't have the route. That was true, the route wasn't available on the client.

I missed to add on the dial-up vpn connection the side b network as accessable network. For that, the hint from Debbie because of the Phase 2 Selector was good.

Thanks to both of you. VPN is sometimes counterintuitive, so it helps to talk about it.

 

Best reagrds

Sebastian

Debbie_FTNT

Glad we were able to help :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++