Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Marklar
New Contributor

Cannot Ping VPN client from behind 2nd Site-Site 110C

Hello I hope someone can help here - seems an easy answer but I can' t seem to figure it out. Scenario: Site to Site VPN across the country = 110C Site1(192.168.1.x) <-> 110C Site2 (192.168.3.x). No problems - been working great for years. home VPN Client connects to Site1, receives 192.168.1.101 and has name resolution and can ping all clients on both sites. No problem. Problem: Site2 clients on 3.x LAN can NOT ping or see the VPN clients on 1.x whatsoever even though they have full access to the LAN clients on 1.x. Site1 clients CAN see VPN client and ping, map drives, etc. What are we missing preventing us from being able to connect to the 192.168.1.x VPN clients connected to Site1 from the Site2 192.168.3.x subnet? I attached a crude pic for the more visually acute :) Thank you!
2 REPLIES 2
rwpatterson
Valued Contributor III

Give those SSL clients their own unique subnet. Since the internal and SSL interfaces share the same subnet, traffic will never get routed to those SSL clients. I know logically the SSL traffic shouldn' t get to the internal either, but the FGT does make that work. When you make that change, also add a static route for the SSL subnet back to the ssl.root interface with a lower distance than the default gateway.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Marklar
New Contributor

Thanks for your assistance. For clarification (not sure if it matters), these are IPSEC VPN clients. Also internal LAN traffic DOES route to the VPN clients from the 1.x subnet the VPN client grabs an IP on (via DHCP). I guess I dont understand why traffic cant be routed from the 3.x subnet to the VPN client as well? The VPN client can access both subnets with no problem and the Site1 LAN can send traffic to the VPN client, so why cant the 3.x subnet? Maybe where I' m stuck is where you mention " but the FGT does make that work" ...like it shouldn' t work the way it is currently but the FGT is allowing it regardless and the final hurdle of accessing the VPN client from 3.x means i' d have to send VPN clients to a new subnet like 4.x?
Labels
Top Kudoed Authors