Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ali_Jassim
New Contributor III

VPN Using forticlient Software

Greetings to you

 

My problem in brief :

We have EMS server with 600 endpoint licenses, My computer is connected to EMS and getting update for AV

I want to use VPN from OUT Side to Company! I create user in fortigate user1,pass11$$$&^, I create policy to allow vpn to connect!

I tested via browser is working 

 

but from forticlient software it will connect to VPN ! but I can't ping any subnet which I added, Although I can ping my subnet via VPN Browser

 

 

My question is ----> in fortigate 200D device i don't have license for VPN, but I have license in EMS 600 EndPoint

and my Forticlient software it showing registered to EMS  but I'm not able to connect VPN! actually it will connect and I'm getting Alert --> Configuration update was received from FortiGate but I can't ping the subnet which I added ,Although I can ping my subnet via VPN Browser!

 

 

Thanks

1 Solution
Alby23

The reason is that in Web  Only mode your client doest not have an IP assigned from a FortiGate, so your request are proxyed by the FortiGate itself (no routes needed here).

 

If you use FortiClient, your PC receive an IP assigned from the FortiGate so you have to configure on the FortiGate a route in order to let the ICMP reply packet to be routed back to your PC.

View solution in original post

6 REPLIES 6
Alby23
Contributor II

In tunnel mode assigned IP is implied so you have to properly configure routing and firewall policies (specifically source subnet) in your FortiGate.

Ali_Jassim
New Contributor III

Dear Alby23

Why I need to add route ? while if i'm using VPN via Browser every thing working good ! 

I hope you understand my problem

 

Alby23

The reason is that in Web  Only mode your client doest not have an IP assigned from a FortiGate, so your request are proxyed by the FortiGate itself (no routes needed here).

 

If you use FortiClient, your PC receive an IP assigned from the FortiGate so you have to configure on the FortiGate a route in order to let the ICMP reply packet to be routed back to your PC.

emnoc
Esteemed Contributor III

To further understand ally reply, when your using web portal mode and one of the plugins the fortigate and one of it's address is doing the connection.

 

You can monitor this by launch a plugin from the web portal and monitor the  target establish session table ( netstat -an ) and see what address is being sourced from the firewall

 

kenfelix

 

PCNSE 

NSE 

StrongSwan  

Ali_Jassim
New Contributor III

Dear Alby23

I would like to thank you for efficient solution! as you suggested to add route for VPN Subnet ......

I just added it then I'm able to reach my subnet ......

 

Thank you man ... you help me !

Alby23

Thanks for yor reply Ali, glad to help