Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
snowman386
New Contributor III

IPSec policy server forticlient remote networks

Is there any way to have the forticlient automatically learn the remote networks from the policy server? i thought this was the point of the policy server that i setup. here are the details of my config: Policy based dialup vpn using xauth DHCP server assigns VIPs to the clients with no default gateway (for split tunneling) forticlient configured for automatic ipsec vpn vpn policy server has been setup with the radius user group and the phase 2 connection of the dialup vpn I want the fortigate to assign the remote networks to the forticlient based on the firewall policy that contains the vpn tunnel (or any method. this just seems the most logical). that way i can add/remove destination subnets from the address group and have the clients automatically update instead of having to touch each client. It seems that the policy server does not assign remote networks though as the only way i can communicate to the remote networks is to change dhcp to assign a default gateway or change the forticlient to a manual ipsec vpn and specify the individual remote networks. The first way is not desirable as i dont want vpn clients consuming twice as much bandwidth to browse the internet. The second is not desirable as each vpn client has to be updated when remote networks are added/removed. Hope that all makes sense. Thanks
18 REPLIES 18
Carl_Wallmark
Valued Contributor

i get this error when i run the command: quote: cannot use named address for only one selector object set operator error, 5 discard the setting Command fail. Return code 5 I assume it means i have to set the dst-name also. would that be the VIP subnet i created for the forticlients? Thanks
You must select address type for both src and dst, NOT only src: # config vpn ipsec phase2-interface # edit <phase2 name> # set src-addr-type name # set src-name <name of srouce address> # set dst-addr_type name # set dst-name <name of destination address> # end it was my bad, i should have typed it out for you ;)

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
snowman386

You must select address type for both src and dst, NOT only src: # config vpn ipsec phase2-interface # edit <phase2 name> # set src-addr-type name # set src-name <name of srouce address> # set dst-addr_type name # set dst-name <name of destination address> # end it was my bad, i should have typed it out for you ;) well i did figure that part out. you didnt need to type that out. i was asking what the dst name should be. do you use all or the vip subnet. i used the vip subnet name but am having all kinds of issues getting the vpn to work in interface mode. wanted to make sure that this was not a problem. im thinking about switching back to policy mode. i got that to work the first time with no problems. interface mode is another story!
Carl_Wallmark
Valued Contributor

Source should be the subnets/addresses you wish to push to your clients, Destination could be 0.0.0.0/0, if your clients are dialing in.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
snowman386
New Contributor III

yay. i got it to work. when i put in the policy the first time, it said that i should not use a policy with a name more than 15 characters so i changed it to 15 characters and it did not give the warning anymore. Yesterday, i deleted it and made the new policy with a 7 character name and it worked like a charm the first time. i did set the src to be the LAN resources i wanted to access and the dst to be the ipsec client VIP subnet. The proper routes were added to the clients routing table. thanks for your help.
Carl_Wallmark
Valued Contributor

Glad to hear that it worked !

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
snowman386
New Contributor III

me too. the funny thing is that i put in a ticket with support and they said this feature was not available and i would have to put in a feature request! :D
rwpatterson
Valued Contributor III

ORIGINAL: snowman386 me too. the funny thing is that i put in a ticket with support and they said this feature was not available and i would have to put in a feature request! :D
That' s scary.....

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Carl_Wallmark
Valued Contributor

hahaha - thats funny ! Read the CLI document, you discover a lot of beatiful functions...

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
laf
New Contributor II

me too. the funny thing is that i put in a ticket with support and they said this feature was not available and i would have to put in a feature request! :D
This is very shameful. Fortinet' s support is the worst support I ever worked with, either you pay for it, or not.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
Labels
Top Kudoed Authors