Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BKR
New Contributor II

IPsec VPN - Can't access internal network

Hello,
I have an issue with my IPsec tunnel, when connected to VPN I have access to my firewall through LAN(Port2) interface.
But I don't have access to VLANs created under LAN(Port2) interface.
Note that I have created firewall policies to allow access from VPN to internal network, and vise versa. 

 

Port1 is my WAN

LAN(Port2) Address: 10.0.0.100

VLAN Snet: 10.1.1.0/24

VPN Client Snet: 172.16.10.0/24

Server machine: 10.0.0.138

 

Note that I working on a virtual fortigate firewall on a cloud.

 

VPN configurationVPN configuration                   VPN statusVPN status

 

Ping to server from client sidePing to server from client side                    Ping to server from firewallPing to server from firewall

 

 

BKR
BKR
3 REPLIES 3
dbhavsar
Staff
Staff

Hello @BKR ,

 

- Can you run the following debugs while pinging the destination:

In Console1:
get router info routing-table details <source-ip>
get router info routing-table details <destination-ip>
di de reset
diagnose debug flow filter addr xx.xx.xx.xx yy.yy.yy.yy and <--- xx is source-IP and yy is destination-ip
di de flow filter proto 1
diagnose debug flow show function enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable


In Console 2:
diag sniffer packet any "(host xx.xx.xx.xx and host yy.yy.yy.yy) and icmp" 4 0 l <---xx is SourceIP and yy is DestinationIP

- also if you can show policy config which is being used.

DNB
HiralShah
Staff
Staff

Hello @BKR 

Can you please make sure VLAN subnet is added in accessible network and policy has been created from IPSec tunnel to vlan and vice versa.

Hiral
FortiArt
Staff
Staff

If the vlans are configured and attached to port2 you need to create firewall policies from the VPN interface to each vlan to be able to access resources on those vlans. Remember to add those vlans on accessible networks under VPN phase-1.

 

If those vlans are routed via port2, which mean they're configured on the next-hop switch, NOT on fortigate, and if you've static routes already configured for reachability from port2, you can enable NAT on the relevant firewall policy and test if it works.

 

If it still not work after the above, this means the destination server/client on those vlans are the source of the problem. This could be some security software blocking such traffic.

 

Hope this helps

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors