- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Access ssl-vpn clients form local network
When i connect to SSL-VPN i can normally access my lan, also vpn clients can see each others so thats good to, but when im sitting in office and i need to remotely access vpn client, i cant. To do this i also must connect to vpn so i cant access him. i assume its routing problem but i cant really find any info about this.
ssl-vpn range is 10.99.201.10-10.99.201.100, and i dont really understand why after checking ip config of clients, it shows ip 10.99.201.11 and gateway as 10.99.201.12. isnt 10.99.201.12 supposed to be address for next client?
i have set up firewall rule to allow traffic form my vlan to ssl-vpn interface and in static routes i have one
with destination: 10.99.201.0/24
gateway:0.0.0.0
interface: ssl-vpn
- Labels:
-
FortiClient
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey iamgers,
to answer your questions:
- the VPN connections are technically /32 subnet connections, but as a gateway, the IP following the client IP is set (even if this is used by the next client as well).
-> if your client has a VPN IP 10.99.201.11, then seeing gateway IP 10.99.201.12 in the client is correct (even if that IP is in use by a different client)
- For SSLVPN, the connection must always be established by the client; it can't be initated by FortiGate
- while the SSLVPN connection is up, IF you have a route AND policy in place to allow traffic to be initiated to the client, you should be able to access the client, I believe
-> You have a route configured based on your comment above, but do you also have a policy in place?
I hope this helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If by policy you mean firewall policy then, yes i have one that look like this:
Incoming Interface : vlan
Outgoing : ssl-vpn
source: all
all
all
but when i check logs, its not even using this rule, instead it uses generic rule vlan to wan
