Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- FortiClient IPSec VPN to VLAN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiClient IPSec VPN to VLAN
Hi All,
I'm tired of beating my head against this wall and am hoping one of you may have a sledgehammer or wrecking ball I can borrow. The use case is as such: PLC vendor needs access to specific VLAN on our network so they can remotely manage their systems. They requested an IPSec VPN to access via the FortiClient.
So far I have an IPSec VPN set up that works almost flawlessly. User can connect, is unable to ping any of our internal IP addresses and can even ping the IP address (172.22.5.2/24) on our core cisco stack. That IP is the VLAN172 IP address. If I SSH in to the cisco device I can ping everything on that subnet no problem. Pinging and tracerouting via the Fortigate CLI succeeds to all 172 subnet addresses as expected as well. But from the VPN the cisco is the only IP address I can ping successfully.
On the internal interface I have a VLAN set up with the proper VLAN ID and 172.22.5.6/24 as the IP address. I have the 172.22.5.0/24 Subnet set up as a firewall object as well as the VPN subnet. I have a single policy set up allowing traffic from the VPN Subnet to the 172 Subnet (always/ALL) and a static route set up from the VPN Subnet to the VPN.
Doing a tracert while connected to the VPN shows it hitting my primary internal interface rather than the VLAN interface. At this point I believe that the VPN is routing across the internal interface rather than the VLAN sub-interface.
Phase1
config vpn ipsec phase1-interface edit "172 VPN" set type dynamic set interface "wan2" set mode aggressive set xauthtype auto set mode-cfg enable set proposal 3des-sha1 aes128-sha1 set authusrgrp "172 IPSec VPN User Group" set ipv4-start-ip 10.10.20.101 set ipv4-end-ip 10.10.20.110 set ipv4-netmask 255.255.255.0 set dns-mode auto set ipv4-split-include "172 Subnet" set psksecret next end
Phase2
config vpn ipsec phase2-interface edit "172 VPN" set phase1name "172 VPN" set proposal 3des-sha1 aes128-sha1 next end
There is one policy in place that is set up with Incoming Interface (172 VPN), Source Address (VPN Subnet), Outgoing Interface (172 VLAN), Destination Address (172 Subnet). All/Always/ NAT is disabled. I also have a static route in place to go from the VPN IP Subnet to the VPN.
Hopefully this makes sense and someone here has the magic bullet to make this VPN work as expected.
Thanks!
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try to enable NAT on policy-10.Thanks.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<<<<I have a single policy set up allowing traffic from the VPN Subnet to the 172 Subnet (always/ALL) and a static route set up from the VPN Subnet to the VPN.>>>>
Dialup User VPN no need set up static routes.
Make sure VPN tunnel is up (dia vpn tunnel list)
You may check it with "debug flow"
dia debug flow filter daddr 172.22.5.2
dia debug flow show console enable
dia debug flow trace star 20
Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jeff,
Unfortunately this isn't giving me any data to work with. On the firewall I set up the flow filter and enabled showing the flow on the console and ran "diag debug flow trace start 20" (it threw an error if i didn't make it start rather than star) and then from the connected VPN client I ran a ping. Nothing shows up on the console. Any other troubleshooting routes I can take?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess you are using low end box which does not have console.
If you using SSH/Telnet/CLI console, try it "dia debug enable" , it will print out debug message on virtual terminal, thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, so here's the results from that..
2016-04-07 10:19:01 id=13 trace_id=434 msg="vd-root received a packet(proto=1, 10.10.20.101:1->172.22.5.2:8) from 172 VPN_0."
2016-04-07 10:19:00 id=13 trace_id=433 msg="allocate a new session-18317071" 2016-04-07 10:19:00 id=13 trace_id=433 msg="find a route: gw-172.22.5.2 via 172 VLAN" 2016-04-07 10:19:00 id=13 trace_id=433 msg="Allowed by Policy-10:" 2016-04-07 10:19:00 id=13 trace_id=433 msg="insert vlan cos:0 id:172"
Repeat that a few times. I then checked for a destination I am not able to make it to and got this:
2016-04-07 10:26:40 id=13 trace_id=442 msg="vd-root received a packet(proto=1, 10.10.20.101:1->172.22.5.51:8) from 172 VPN_0." 2016-04-07 10:26:40 id=13 trace_id=442 msg="allocate a new session-18318acb" 2016-04-07 10:26:40 id=13 trace_id=442 msg="find a route: gw-172.22.5.51 via 172 VLAN" 2016-04-07 10:26:40 id=13 trace_id=442 msg="Allowed by Policy-10:" 2016-04-07 10:26:40 id=13 trace_id=442 msg="insert vlan cos:0 id:172"
So it looks as though it is being sent out from the firewall but not making it back for some reason. I know that the equipment responds to pings from the firewall as if I run a ping straight from the CLI Console it responds back immediately. I'm honestly not sure why I would be getting different results for different IPs over the VPN but not from the CLI Console as well. Obviously something is blocking but I still have no idea what. I'll keep banging at it as I have time and any other suggestions on things to check are more than welcome!
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try to enable NAT on policy-10.Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That did it. Everything I read stated to not have NAT enabled on the policy so it didn't occur to me that I would need to change that. Thanks for the help!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,621 -
FortiClient
1,741 -
5.2
801 -
FortiManager
720 -
5.4
639 -
FortiAnalyzer
552 -
FortiSwitch
470 -
FortiAP
464 -
FortiClient EMS
421 -
6.0
416 -
5.6
362 -
FortiMail
315 -
6.2
251 -
SSL-VPN
236 -
FortiAuthenticator v5.5
234 -
Fortiweb
205 -
IPsec
203 -
5.0
196 -
FortiNAC
186 -
FortiGuard
139 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiAuthenticator
95 -
FortiToken
89 -
Customer Service
79 -
Firewall policy
78 -
Wireless Controller
77 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
56 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
48 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
37 -
SAML
36 -
FortiGate v5.4
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
32 -
SSO
31 -
Interface
31 -
FortiLink
29 -
FortiConnect
28 -
VDOM
28 -
FortiWAN
27 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Automation
14 -
Static route
14 -
System settings
14 -
IP address management - IPAM
14 -
snmp
13 -
FortiCASB
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
FortiManager v4.0
10 -
IPS signature
10 -
Security profile
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Proxy policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiGate-VM
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1688 | |
| 1087 | |
| 752 | |
| 446 | |
| 227 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.