Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BKR
New Contributor II

Created on ‎10-07-2024 03:44 AM

IPsec VPN - Can't access internal network

Hello,
I have an issue with my IPsec tunnel, when connected to VPN I have access to my firewall through LAN(Port2) interface.
But I don't have access to VLANs created under LAN(Port2) interface.
Note that I have created firewall policies to allow access from VPN to internal network, and vise versa. 

 

Port1 is my WAN

LAN(Port2) Address: 10.0.0.100

VLAN Snet: 10.1.1.0/24

VPN Client Snet: 172.16.10.0/24

Server machine: 10.0.0.138

 

Note that I working on a virtual fortigate firewall on a cloud.

 

VPN configurationVPN configuration                   VPN statusVPN status

 

Ping to server from client sidePing to server from client side                    Ping to server from firewallPing to server from firewall

 

 

BKR
BKR
Labels:
705
0 Kudos
3 REPLIES 3
dbhavsar
Staff
Staff

Created on ‎10-08-2024 08:24 AM Edited on ‎10-08-2024 08:24 AM

Hello @BKR ,

 

- Can you run the following debugs while pinging the destination:

In Console1:
get router info routing-table details <source-ip>
get router info routing-table details <destination-ip>
di de reset
diagnose debug flow filter addr xx.xx.xx.xx yy.yy.yy.yy and <--- xx is source-IP and yy is destination-ip
di de flow filter proto 1
diagnose debug flow show function enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable


In Console 2:
diag sniffer packet any "(host xx.xx.xx.xx and host yy.yy.yy.yy) and icmp" 4 0 l <---xx is SourceIP and yy is DestinationIP

- also if you can show policy config which is being used.

DNB
679
HiralShah
Staff
Staff

Created on ‎10-08-2024 02:22 PM

Hello @BKR 

Can you please make sure VLAN subnet is added in accessible network and policy has been created from IPSec tunnel to vlan and vice versa.

Hiral
635
0 Kudos
FortiArt
Staff
Staff

Created on ‎10-08-2024 02:23 PM

If the vlans are configured and attached to port2 you need to create firewall policies from the VPN interface to each vlan to be able to access resources on those vlans. Remember to add those vlans on accessible networks under VPN phase-1.

 

If those vlans are routed via port2, which mean they're configured on the next-hop switch, NOT on fortigate, and if you've static routes already configured for reachability from port2, you can enable NAT on the relevant firewall policy and test if it works.

 

If it still not work after the above, this means the destination server/client on those vlans are the source of the problem. This could be some security software blocking such traffic.

 

Hope this helps

633
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.