Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Access Multiple network throught IPSEC VPN for...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Access Multiple network throught IPSEC VPN forticlient
Hello,
I have a question, can I access to multiple network throught IPSEC VPN forticlient. There is the schéma infrastructure:
LAN A --------------FGT A----------------VPN IPSEC site to site--------------------------FGT B-----------------LAN B
192.168.1.X/24 192.168.1.1 192.168.2.1 192.168.2.X/24
|
|
|
|
IPSEC VPN Forticlient
192.168.3.x/24
VPN site to site working normally
When I am connected to VPN Forticlient with IP address 192.168.3.10 (For Example), I have access to network 192.168.1.0/X,
but i have no access to network 192.168.2.X/24.
I try to have somes policies, routes, etc.., still not working.
Any ideas on the question
Labels:
- Labels:
-
6.0
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are many posts for similar situations, vpn to vpn, hub and spokes, etc. in the forum you can search. FortiClient wouldn't make much difference. In the end, all come down to three key issues: 1) phase2 network selectors, 2) routing over the tunnels, and 3) FW policies, at each node.
If you're confident about these, what you need to do is sniffing and "flow" debugging at each FGT. But almost sure you're missing one or two in the thee keys.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On the workstation with forticlient as this is the routing table? In the second phase of ipsec, which network did you define?
NSE-4
NSE-4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It wasn't in your post but you connect to FG-A, right? Does the phase 2 include both subnets: 192.168.1.0/24 and 192.168.2.0/24? Do you have a policy for remote users who connect FG-A and then connect via s-2-s tunnel to location B?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I Can connect to FG-A. No phase 2 not include subnet 192.168.2.0/24. I can't and this network on GUI. I must use CLI?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you show your config? There are too many settings to guess:
- split horizon - do you have this feature on?
- is there any firewall policy for user from SSL.root (or any vdom you have) to the IPsec interface?
As Toshi Esumi said in previous post you are missing one of these mandatory components (or more):
a) phase 2 selectors (you will not get the route for 192.168.2.0/24),
b) firewall policies on both end (FG-A and FG-B),
c) routing - I think the routing on FG-A should be fine but make sure on site B they know how to send traffic back, based on your source IP
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could do the way I do here:
- I have a site2site IPSEC vom HQ to Shop
- Phase2 selector is on 0.0.0.0/0.0.0.0 (that's the FGTs default btw)
- Client here uses HQ FGT as default Gateway
- then you do not need split tunneling or routes on the client (execpt from the default route)
- HQ FGT has routes to Shop Subnets and Shop FGT has a route back to HQ Subnet(s) that need to access the SHop subnets.
- both FGT have Policies to allow the traffic as needed.
works fine here.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you put the default route on HQ all of your traffic goes to HQ. That has disadvantages:
- for internet access, an additional policy in HQ is needed
- you cannot use your local LAN anymore, e.g. printer or NAS
So, rather enable "split tunneling" on the FC and define the routes to 192.168.1 and 192.168.2. This will take care of the routing on the client. @Toshi has already mentioned the other prerequisites.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Ede: yes it does but for clients that reside at HQ it has to do so anyways so don't matter as the FGT does HQ's Internet and all other traffic too ;) And yes clients at HQ can still use HQ LAN then ;)
As long as you don't produce overlapping subnets you will always be able to use your local lan because local lan traffic does not use the default route but the net route over your lan interface ;)
I do use split tunneling on our dial up Ipsec indeed because I don't want internet traffic to go to HQ there ;)
It depemds on pur network architecture and use cases what is the best for you to use anyways...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all
Cglobal71, if you are still looking for a solution, you'll need to specify a group of networks (because only a single selection is possible under this option) you want to access through a VPN client in your IPsec policy under 'Accessible networks", and then customize your firewall policy related to this IPsec connection like this:
incoming interface: 'your vpn interface' (already specified by wizard)
outgoing interface: 'any' (you can specify 'any' only through CLI)
source: 'your vpn-range' (already specified by wizard)
destination: 'a group of networks you want to access' (the same group you specified in IPsec policy)
You can use NAT or not.
So that's all you'll need to change. But before customizing check if you are able to connect with a forticlient using your tunnel, because if it doesn't work from the start, you'll never make it work in the future.
Best regards
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,746 -
FortiClient
1,775 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
476 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
321 -
6.2
251 -
SSL-VPN
249 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
207 -
5.0
196 -
FortiNAC
191 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
106 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
80 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
Fortivoice
54 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
FortiSoar
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1733 | |
| 1106 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.