Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Eugene_Alaska
New Contributor

Can remote FortiClient user get access to local lan connected over syte-2-syte tunnel?

Hello.

1234.png

See picture, please. 
Users from LAN-1 access LAN-2 without any problem over syte-2-syte ipsec tunnel.

Also Users from LAN-2 access LAN-1 over syte-2-syte ipsec tunnel.

Question.
Can the remote FortiClient user access internal network 2?
If so, how?

Now access only to network 1.

 

Thanks.

 

P.S.

Fortigate1 is FortiGate-61E model.
Fortigate2 is FortiGate-61E model also.

4 REPLIES 4
kjohri
Staff
Staff

Hello,

Yes, SSL VPN users will be able to access the resources across Site to Site tunnel. Please refer to the below article-
https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/45836

Regards,
Kavya
Eugene_Alaska


@kjohri wrote:

Hello,
Yes, SSL VPN users will be able to access the resources across Site to Site tunnel.

But remote users use ipsec vpn to connect.
Or does it not matter?

 

nithincs

yes, you could achieve it. Make sure to add dailup tunnel subnet in phase2 selector of the site-site tunnel.

in FGT1 source :10.5.41.0/24 dest :192.168.8.0/24
in FGT2 source 192.168.8.0 dest :10.5.41.0/24

In FGT2, add a routeto 10.5.41.0 via tunnel interface.

Make sure to have the policies in place at both the firewall.

With this it should work

kjohri

Hello Eugene_Alaska,

 

Yes It is possible, I thought you were using SSL VPN, If you're using dialup VPN the traffic flow will be same.
In Dialup VPN configuration which you're using for remote VPN, add the traffic selector to access LAN1 and LAN2 subnet.
In VPN configuration between Fortigate 1 and Fortigate 2 add a new traffic selector with Dialup VPN client IP range as local and LAN2 subnet as remote on Fortigate 1, and vice versa on Fortigate 2

Create Policy on Fortigate 1 from dialup VPN to Ipsec VPN with source dialup range with user and destination LAN2, on remote side create a policy from LAN2 towards Ipsec with source LAN2 and destination dialup VPN range, traffic will work as expected.

Hope this helps

Regards,
Kavya
Top Kudoed Authors