Hello,
I have an issue with my IPsec tunnel, when connected to VPN I have access to my firewall through LAN(Port2) interface.
But I don't have access to VLANs created under LAN(Port2) interface.
Note that I have created firewall policies to allow access from VPN to internal network, and vise versa.
Port1 is my WAN
LAN(Port2) Address: 10.0.0.100
VLAN Snet: 10.1.1.0/24
VPN Client Snet: 172.16.10.0/24
Server machine: 10.0.0.138
Note that I working on a virtual fortigate firewall on a cloud.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @BKR ,
- Can you run the following debugs while pinging the destination:
In Console1:
get router info routing-table details <source-ip>
get router info routing-table details <destination-ip>
di de reset
diagnose debug flow filter addr xx.xx.xx.xx yy.yy.yy.yy and <--- xx is source-IP and yy is destination-ip
di de flow filter proto 1
diagnose debug flow show function enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable
In Console 2:
diag sniffer packet any "(host xx.xx.xx.xx and host yy.yy.yy.yy) and icmp" 4 0 l <---xx is SourceIP and yy is DestinationIP
- also if you can show policy config which is being used.
Hello @BKR
Can you please make sure VLAN subnet is added in accessible network and policy has been created from IPSec tunnel to vlan and vice versa.
If the vlans are configured and attached to port2 you need to create firewall policies from the VPN interface to each vlan to be able to access resources on those vlans. Remember to add those vlans on accessible networks under VPN phase-1.
If those vlans are routed via port2, which mean they're configured on the next-hop switch, NOT on fortigate, and if you've static routes already configured for reachability from port2, you can enable NAT on the relevant firewall policy and test if it works.
If it still not work after the above, this means the destination server/client on those vlans are the source of the problem. This could be some security software blocking such traffic.
Hope this helps
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.