Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kr00tki
New Contributor

IPSec VPN, site-to-site, dial-up

Hi I have working vpn tunnels site-to-site (interface mode) and dial-up vpn ipsec for forticlients and I have problem to setup traffic BR site <-> FortiClient Netrwok. I use examples from ipsec-vpn-52 pdf (Hub and spoke). I cant use ' zone interface' because i must use UTM profiles. Anyone can you help me ? some example how I can do it ? fortiOS 5.2 HQ - 10.0.1.0/24 BR - 10.0.2.0/24 FortiClients - 10.254.254.0/24
5 REPLIES 5
TuncayBAS
Contributor II

IPSEC VPN, you should add in phase 2 settings adreslerini A hand side FortiClient FortiClient the device users may know where he is. In the second route opened for FortiClient VPN addresses must add BR. In this way, users who VPN with FortiClient, BR HQ device will come when they want to go to the office. HQ equipment necessary rules in the two-way traffic can be opened. In fact, I can help you connect to your device. Please take special message from.
Tuncay BAS
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS
Tuncay BASRZK Muhendislik TurkeyFCA,FCP,FCF,FCSS
hklb
Contributor II

Hi, On your branch office, did you set a static route for subnet 10.254.254.0/24 pass through VPN ? On BR, the firewall rules permit the traffic from/to 10.254.254.0/24 ? On HQ, the firewall rules permiet the traffic from dialup interface to VPN ? and vice versa?
kr00tki
New Contributor

Hi So in short version my config on two fortigates looklike this: ======= HQ polices ======== I have polices BR <=> HQ I have polices DIALUP <=> HQ and ofcourse LAN HQ <=> WAN and UTM profiles I write only polices BR <=> DIALUP Incoming Interface: Dial_UP interface Source Address: Dialup network (10.254.254.0/24) Outgoing interface: VPN interface on HQ Destination address: Branch_network (10.0.2.0/24) Service: All Action: Accept Nat: OFF UTM:Off Log Alowwed: ON Incoming Interface: VPN interface on HQ Source Address: Branch_network (10.0.2.0/24) Outgoing interface: Dial_UP interface Destination address: Dialup network (10.254.254.0/24) Service: All Action: Accept Nat: OFF UTM:Off Log Alowwed: ON Static Route: Destination IP/Netmask: 10.0.2.0/24 Device: Vpn interface on HQ ====================================== ====== BR polices: =================== I have polices BR <=> HQ I have LAN BR <=> WAN BR and UTM BR profiles Incoming Interface: internal Source Address: Dialup network (10.254.254.0/24) Outgoing interface: VPN interface on BR Destination address: Branch_network (10.0.2.0/24) Service: All Action: Accept Nat: OFF UTM:Off Log Alowwed: ON Incoming Interface: Vpn interface on BR Source Address: Branch_network (10.0.2.0/24) Outgoing interface: internal interface Destination address: Dialup network (10.254.254.0/24) Service: All Action: Accept Nat: OFF UTM:Off Log Alowwed: ON Static Route: Destination IP/Netmask: 10.0.1.0/24 Device: Vpn interface on BR Destination IP/Netmask: 10.254.254.0/24 Device: Vpn interface on BR
TuncayBAS
Contributor II

route add 10.254.254.0/24 to Dial-UP vpn settings config vpn ipsec phase1-interface edit " vpn_name" set ipv4-split-include " vpn_group" end end config firewall address edit dial_users set subnet 10.254.254.0/24 next edit " Branch_network" set subnet 10.0.2.0/24 next end config firewall group edit " vpn_group" set member " dial_users" " Branch_network" next end such as.
Tuncay BAS
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS
Tuncay BASRZK Muhendislik TurkeyFCA,FCP,FCF,FCSS
kr00tki
New Contributor

Yaba, Where i must set this option on wich fortigate HQ or BR or both ? Which phase1 ? Dialup phase1 or site-to-site phase1 ? thx :)
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors