Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kaplan
Contributor

To reach other Networks with Forticlient VPN Connections

Dear Poeple,

Nice Sunday first:-)
I put a picture to explain my behaviour better.

I want connect with a forticlient to FG1 to reach their network and reach the Network from FG2 too.

FG1 und FG2 have side to side VPN connections.

I can ping only the FG1 networks and cannot reach the FG2 networks like in picture to the network 192.168.4.0/24.
Does it possibele to reach other Networks with a Forticlient over VPN Connection or not?

 

Phase 2 all FGs and FortiClient Network are 0.0.0.0/0.0.0.0 typed
In FortiClient VPN Connections are both Network (192.168.4.0 and 192.168.5.0) typed.

In FG 1 is a policy

incomming: FortiClientVPN

outgoing: internal, VPN Connection to FG2

incomming Network: all

outgoing Network: 192.168.4.0 and 192.168.5.0

Split Tunneling ist activated


Thanx in advantage

Kaplan_0-1648361385802.png

 

2 Solutions
vdralio
Staff
Staff

Dear Kaplan,

 

You can check the article below if you have dial-up VPN users that want to reach a local subnet through S2S VPN:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dialup-IPsec-traffic-forwarding-to-site-to...

 

Best Regards,

Vasil Dralio

View solution in original post

sw2090
Honored Contributor

it is possible even with IPSec FortiClient VPN. You just need Policies on  both FGT to allow the traffic and routing back to the vpn probably.

And you should enable split tunneling to have the FortiClient push a route to those subnets to the client. It would work without too but then ALL your traffic would go through the tunnel.

 

So in your case that would mean:

 

the dial up vpn on the 192.168.5.0 FGT should have split tunneling enabled with 192.168.5.0/24 and 192.168.4.0/24 as subnets (and p2 selectors set to 0.0.0.0/0.0.0.0).

This FGT then must have a route to 192.168.4.0/24 and a policy allowing traffic coing from the vpn to flow to 192.168.4.0/24.

 

The FGT in 192.168.4.0 has to have Policy that allows traffic coming from the vpn via the 192.168.5.0 FGT to flow to 192.168.4.0. Also it has to have a route back to the vpn net because without you will never get an answer to your packets :)

 

With all that set it should work.

 

You do not need reverse policies on both FGT as long as you don't want to be able to connect to a vpn client from out of 192.168.5.0/24 or 192.168.4.0/24.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

5 REPLIES 5
vdralio
Staff
Staff

Dear Kaplan,

 

Wish you also a nice Sunday :)

 

Yes, it is possible to access the local network from SSLVPN going through S2S VPN.

Please check the article below:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/45836/ssl-vpn-to-ipsec-vpn

 

Best Regards,

Vasil Dralio

 

Kaplan

Dear Vasil,

thanx for this link. I will check it. The first what I see, that this Forticlient is configured over SSL. My FortiClient is configured over IPSEC. Must I connect over SSL VPN with the FortiClient or does it not depend of SSLVPN or IPSEC VPN?

 

vdralio
Staff
Staff

Dear Kaplan,

 

You can check the article below if you have dial-up VPN users that want to reach a local subnet through S2S VPN:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dialup-IPsec-traffic-forwarding-to-site-to...

 

Best Regards,

Vasil Dralio

sw2090
Honored Contributor

it is possible even with IPSec FortiClient VPN. You just need Policies on  both FGT to allow the traffic and routing back to the vpn probably.

And you should enable split tunneling to have the FortiClient push a route to those subnets to the client. It would work without too but then ALL your traffic would go through the tunnel.

 

So in your case that would mean:

 

the dial up vpn on the 192.168.5.0 FGT should have split tunneling enabled with 192.168.5.0/24 and 192.168.4.0/24 as subnets (and p2 selectors set to 0.0.0.0/0.0.0.0).

This FGT then must have a route to 192.168.4.0/24 and a policy allowing traffic coing from the vpn to flow to 192.168.4.0/24.

 

The FGT in 192.168.4.0 has to have Policy that allows traffic coming from the vpn via the 192.168.5.0 FGT to flow to 192.168.4.0. Also it has to have a route back to the vpn net because without you will never get an answer to your packets :)

 

With all that set it should work.

 

You do not need reverse policies on both FGT as long as you don't want to be able to connect to a vpn client from out of 192.168.5.0/24 or 192.168.4.0/24.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Kaplan

Dear SW2090,

 

thanx for your post.
I had before the IPSEC Connection between 2 FGTs with p2 selectors to set to 0.0.0.0/32. Only the policys and the backroutes to the FortiClient IP was not ready.
So does it function.
Only one thing is for me mysterious.
If I use sniffing on FG, I see the incomming Host (with the forticlient IP) but only for few packets and then there are no flow to see an sniffe like dia sys snif pack any 'host 192.168.250.5' 4 0 a

Best wishes