Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ABE_63
New Contributor III

Can't connect to LAN when VPN connection is made over wireless access point.

I have tried to create a VPN connection from a device connected to a fortinet wireless AP to a device connected to another port on the Fortigate. I have managed to successfully get an IPSec VPN connection, but when connected, i can not ping the other device. Here are the current policies I have in place in an attempt to achieve this:

 

Outbound Policy (SSID to Internal):

  • Incoming Interface: SSID interface.
  • Outgoing Interface: Port 2 (internal network).
  • Source: SSID subnet. User: VPN_User_Group
  • Destination: Internal network subnet.
  • Action: Accept.
  • Service: All.

Inbound Policy (Internal to SSID):

  • Incoming Interface: Port 2 (internal network).
  • Outgoing Interface: SSID interface.
  • Source: Internal network subnet.
  • Destination: SSID subnet.
  • Action: Accept.
  • Service: All.

IPSec Policy (IPSec to Internal):

  • Incoming Interface: IPSec interface.
  • Outgoing Interface: Port 2 (internal network).
  • Source: Client address range subnet. User: VPN_User_Group
  • Destination: Internal network subnet.
  • Action: Accept.
  • Service: All.

When i try ping the internal network interface, i get "request timed out". I can only ping as far as the AP interface. There is the port interface that the AP connects to so my next step is to look at what policies may need to be applied using this interface. Any help is greatly appreciated.

4 REPLIES 4
AEK
Honored Contributor II

The following may help you in troubleshooting:

  • Check the routing table of the client once it is connected to VPN
  • Check the traffic logs on FGT to see if the packets are arriving from VPN client, and if they are accepted, and if there is a reply from the VPN server
AEK
AEK
LunarEcho
New Contributor II

Double-check your policies for the port interface the AP is connected to. Also, any chance there's a firewall on the AP itself causing the timeout?

hbac
Staff
Staff

Hi @ABE_63,

 

Please run debug flow to see if the traffic is being dropped. https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Example (Replace x.x.x.x with destianation IP): 

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr x.x.x.x
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

 

Regards, 

mle2802
Staff
Staff

hi @ABE_63

Can you try to run a sniffer to see packet is flowing using the command diag sniffer packet any "host X.X.X.X and icmp" 4 0 l

Regards, 

Labels
Top Kudoed Authors