Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TigerEmperor
New Contributor

Fortigate-SiteToSite_VPN-Problem

Dear All

Good Afternoon.

I have two fortigate 60D, one in HK and one in China,

Only HK have AD and Radius server, I form a site to site vpn between this two fortigate and want both of them can connect the AD to get the ldap and radius data, however, I notice that I can not access the AD and radius in the fortigate but the subnet behind it can do. How can I let the Fortigate can access the ad server via VPN itself? Thanks.

One more thing, I want the CN users can access the HK website auto go through HK fortigate by VPN.  HK users can access the CN website auto go through CN fortigate by VPN. Do fortigate have some pool to let me set the policy to do it ? Thanks.

 

 

 

 

2 REPLIES 2
ede_pfau
SuperUser
SuperUser

hi,

 

and welcome to the forums.

 

I think you need to specify the source address of the 'system' (= the FGT itself) so that it's correctly routed through the tunnel. In the CLI, check 'config user ldap' if there is a 'set source' parameter (either by typing 'set ?' or by looking up the CLI Reference). Set the source IP address to the FGT's internal port address. This should enable system traffic through the tunnel.

Please specify the version of FortiOS your FGTs are using.

 

Your second question is a bit unclear to me. For users on the local subnet access to the remote subnet behind the tunnel is transparent, that is, 'auto' if I understand you correctly. For this to happen, you need to have a policy from local LAN to tunnel interface allowing such traffic. On the remote FGT, the same applies, you need a mirror policy for the other direction.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
TigerEmperor

Hello.

Both fireware is v5.6.2 build1486 (GA), the FGT is in the route of subnet, do I add a duplicate route to it? (If yes, I have try and seem can not connect---add the peer FGT B  address in route in the FGT A that has AD)

 

For Second question, I am not talking about FGT A second goto the FGT B second, I want  FGT A(Hong Kong) PC access China website (Not internal) via VPN, FGT B(China) PC access to Hong Kong  website (Not internal) via VPN.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors