Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
goodtoys
New Contributor

Created on ‎03-10-2022 05:55 PM

IPSec remote VPN access multi vlan

Hi All, 

 

Looking for advise, we have IPsec VPN allow user remote access office LAN. Office LAN include multi VLANs on one location (NOT site to site). 

 IPsec VPN client can access VLAN1 but can not access VLAN2. Under the office location user can access any vlan. 

 

Any suggest how to should trouble this issue? Sorry I am not good on Fortigate, also the end user did  not renewal the support services.

 

Thanks 

Labels:
3182
0 Kudos
5 REPLIES 5
Sachin_Alex_Cherian_
Staff
Staff

Created on ‎03-10-2022 10:15 PM

Hi,

The basic things can be checked first.

1) Routing on the firewall for vlan2.

2) Firewall policy created for the remote client has vlan2 subnet is allowed or not.

3) Sometimes, the remote client's IP might not be reachable from the vlan2, if this is the case enabling source NAT on the firewall policy (tunnel->vlan2 policy) might help.

Hope the above helps, if not would be better to run the flow trace debugs to see what exactly happens.

 

Regards,
Sachin.
3120
0 Kudos
goodtoys
New Contributor
In response to Sachin_Alex_Cherian_

Created on ‎03-13-2022 07:31 PM

1) not sure this one. when VPN connection the IP on client is 10.0.11.100. at routing table only find below. If I need VPN access other VLAN22 such as 192.168.22.0/24

I should add 10.10.10.0/28 to VLAN22?

goodtoys_0-1647224784783.png

2) We enable the VPN client access the multi VLAN 

3) On same VPN client allow access the multi VLAN NAT option are enable.

 

3106
0 Kudos
Sachin_Alex_Cherian_
Staff
Staff
In response to goodtoys

Created on ‎03-13-2022 11:12 PM

Is the vlan22 subnet configured on FortiGate? Please check reachability from Fortigate to vlan22 IPs. If not you need to add a corresponding route entry on FortiGate for vlan22 subnet.

Regards,
Sachin.
3098
0 Kudos
goodtoys
New Contributor
In response to Sachin_Alex_Cherian_

Created on ‎03-14-2022 06:25 PM

Yes, the vlan22 configured on fortigate. Let me try add a route and see is that solve this issue. thanks 

3087
0 Kudos
Sachin_Alex_Cherian_
Staff
Staff
In response to goodtoys

Created on ‎03-14-2022 10:09 PM

If the vlan interface is configured on the FGT itself, there would already be a connected route entry. Try checking the reachability.

You can run the flow trace along with the sniffer to check if the firewall is allowing the connections.

Regards,
Sachin.
3079
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.