IPSec VPN Fortigate 80C - printing, other network visibility

johnatan_doe · ‎09-18-2014

Hi, first of all I`d like to say Hello to everybody since it`s my first entry here and I`m pretty sure that not last one :) Device: Fortigate 80C Firmware Version: v4.0,build0689,140731 (MR3 Patch 18) I`ve configured IPsec VPN with success. When connect VPN I received e.g 10.10.30.180 address from configured pule ( 180 - 199 ) -> this is my LAN addresses and have to major problems 1. In my company I have another internal network ( 11.10.30.x ; 255.255.255.0 ). I need that network to be accessible through VPN. So, I`ve created VPN to productionNetwork policy: Source Interface: VPN Source Addresses: VPN_addresses Destination Interface: ProductionNetwork Destination Address: ProductionNetwork_internal_addresses service: any Action: Accept Enable NAT and when I`m trying to ping 11.10.30.x - not working :( 2. The second problem is when I connect to VPN I`d like to print on local printer which is network printer and has different address then VPN address. Route print gives me that local addresses has higher metric but it doesn`t matter - I cannot print can you please help me with this 2 tasks? regards

Christopher_McMullan · ‎09-18-2014

Hello, Johnatan! Welcome to the Fortinet forums. Let' s start with two diagnostics, a sniff and flow trace: 1. Sniff diag sniffer packet any " host 11.10.30.x and icmp" 4 -Replace ' .x' with the target host you' re trying to ping, and enter Ctl+C to stop the sniff after the test. 2. Flow Trace diag debug reset diag debug enable diag debug flow show console enable diag debug flow show function-name enable diag debug flow filter addr 11.10.30.x diag debug flow filter proto 1 diag debug flow trace start 5000 -Same rule applies: replace ' .x' with the target IP, run a test ping, then to stop the trace... diag debug flow trace stop diag debug flow filter clear diag debug reset diag debug disable The sniff and flow trace will likely help with both issues. If we can' t find a quick answer here through the forums, please consider opening a ticket with TAC to assist you. Provide your configuration file and the output from the sniff and flow trace as a good starting point.

Regards, Chris McMullan Fortinet Ottawa

johnatan_doe · ‎09-18-2014

Hi Christopher, thank you for your fast replay. I`ve wrote down your command for future needs. It`s quite strange but suddenly the 11.x.x.x network is visible. Maybe this was coused by my PC which wasn`t rebooted since couple of days? I started with your commands then try to ping and .... Voila The question is about printing issue. I can`t put another policy from VPN to 192.168.1.x because this is not Fortigate internal port. So I can pick up source interface and address from the list but destination interface? address?

Christopher_McMullan · ‎09-18-2014

What is the printer IP, and where is it in terms of your network topology? What the the output from running ' route print' on your host, as you did before?

Regards, Chris McMullan Fortinet Ottawa

johnatan_doe · ‎09-19-2014

The printer IP is 192.168.1.100 This is completely different location ( physically ), different net and provider. User just connect to IPSec VPN and has access to my resources e.g. ERP system. This is working fine. But the last thing is to make printing on this printer. The ' route print' after VPN connection - please see attachment

ede_pfau · ‎09-19-2014

The default route should not point to the subnet behind the tunnel. Otherwise, you can only reach hosts within your local subnet. This setting is called ' split tunneling' . Please have a look at the documentation where to activate this.

Ede Kernel panic: Aiee, killing interrupt handler!

IPSec VPN Fortigate 80C - printing, other network visibility

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website