Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Did you configure all destination IPs in the selectors? Do you have firewall policy for this traffic?
You showed policy with destination interface 'internal'. If the resource is accessible via different interface you need a separate policy.
Selectors - this is how you define what traffic should be sent to the tunnel. If you specify destination for example 10.0.0.0/24, you can't send traffic to 10.1.0.0/24. Verify your VPN settings (phase2).
Clubinski25 wrote:Best of my knowledge:
The internal is what i want to be able to access via VPN. Phase 2 was not configured on the tunnel. Internal - 10.0.5.0/24 I converted it to a custom tunnel and changed the following; Remote gateway - dialup User Specified client range = 10.0.10.100 - 10.0.10.200 Phase 2 selectors Local address - Local Lan (internal interface) Remote addredd - IPSEC VPN range
Remote gateway - dialup User (outside IP address of the remote gateway/concentrator) Specified client range = 10.0.10.100 - 10.0.10.200 Phase 2 selectors Local address - Local Lan (internal interface) (Same range as the client range) Remote addredd - IPSEC VPN range (the subnet that you need to reach on the remote side)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson wrote:I did Change the "Remote Gateway" to my ISP IP which did not work , I have it current set to the IP of the Fortigate. When I change it from dialup user to "static IP" the Phase 2 selectors disappear and it does not allow me to set the Local Address & Remote address.Clubinski25 wrote:Best of my knowledge:
The internal is what i want to be able to access via VPN. Phase 2 was not configured on the tunnel. Internal - 10.0.5.0/24 I converted it to a custom tunnel and changed the following; Remote gateway - dialup User Specified client range = 10.0.10.100 - 10.0.10.200 Phase 2 selectors Local address - Local Lan (internal interface) Remote addredd - IPSEC VPN rangeRemote gateway - dialup User (outside IP address of the remote gateway/concentrator) Specified client range = 10.0.10.100 - 10.0.10.200 Phase 2 selectors
Local address - Local Lan (internal interface) (Same range as the client range) Remote addredd - IPSEC VPN range (the subnet that you need to reach on the remote side)
Hope this helps
Clubinski25 wrote:
Phase 2 selectors Local address - Local Lan (internal interface) Remote addredd - IPSEC VPN range
You can add more addresses as a local. It allows you to reach the remote subnet. I don't know how you reach that additional subnet (from the FTG) but you need a firewall policy for it.
The host/server in the remote subnet should know how to reach VPN users. Make sure the routing is correct.
I double checked this and matched above settings and still not connecting the IPSEC VPN off my local network.
Any more suggestions?
hm you wrote you can connect to your vpn from your lan but no from outside (even if you set the isp as remote gw on your forticlient). Unfortunately you didn't provide one important detail:
How is your FGT connected to the internet? Does the FGT do dialup with pppoe? Or does it even have static isp ip on an interface? In this case it should work.
Or do you have a router in front of your FGT that does the connection to your isp and the wan side of the FGT is just connected to it. In this case you need to do some portforwarding on your router. You will need the ports 500/UDP (IPSEC itself) and probably 4500/UDP (NAT-Traversal if you use it) forwarded to your FGT.
hth
Sebastian
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.