Client is using 2 Fortigate 80E firewalls configured for site to site IPSec VPN, tunnel is up, and users at both locations can access and ping across to the other site. When any user connects remotely via FortiClient program, they can only access the location the VPN is on. Cannot ping across or resolve servername. Something changed a couple of months ago as they were able to connect. We have checked settings on both ends, but do not see what would prevent. We recently onboarded this client, and do not have older backup configs to compare.
So this means:
Dial UP IPsec Forticlient => FGT works and one can reach the subnets on the FGT as one should.
But one cannot reach the subnet(s) behind the other end of S2S IPSec between the two FGT correct?
I would recommend:
connect Forticlient.
check routing table on client
check routing table on both FGT
check policies on both FGT
Probably start a flow debug in cli on each FGT to see what happens to your traffic...
diag debug ena
diag debug flow filter clear
diag debug flow filter <saddr/daddr = ip>
diag debug flow trace start <numberofpackets>
this will show you if the traffic reaches the FGT and if it does which policy it hits and where it is going then.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.