- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this possible?
Hi,
I want to connect thru the Fortinet Client (sslvpn) on my iPhone and direct all traffic thru the Fortinet 60E to the Internet. Is this possible? If so, is there somewhere a working example? The manual is not quite clear in this.
Thanks,
Peter.
Solved! Go to Solution.
- Labels:
-
FortiClient
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Config looks fine. Worth enabling All Sessions log on the rule ssl.root -> wan1 to see if everything passes as expected and NAT is being done as well. Another thing to check is DNS - may be your resolving does not work with current config, worth setting Specify and say 8.8.8.8 . If all this of no help, next is doing sniffer on FGT diagnose sni pa any 'host <IP of server on the Internet you are trying to reach>' 4, to see if packets are leaving via wan1.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, yes, that’s possible
- do NOT enable Split Tunnel in VPN Settings
- Create security rule:
src int: ssl.root
dst int: the one connecting your fortigate to internet
src addr: you vpn pool
dst addr: all
service: all
nat: enable
i dont have example at hand.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @Yurisk , I have done that, I am able to see the Fortinet login page and do a login over VPN from the Internet, but I am not able to surf from the VPN on my iphone to the Fortinet back to the Internet. In the forward traffic, I do only see accepted traffic, but nothing in Chrome on my iphone and it times out. Any clue?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to confirm are you using the FortiClient VPN app on your phone or are you connecting to the Web SSL portal using a browser?
Graham
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @gfleming, I didn't test it like this and it is working via the browser. However I am looking for another option, because I want to have all traffic from my phone thru the vpn, so network traffic from an app (not a browser :) ) is also going thru the vpn. Is this possible?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need to make sure that your user/group on the Fortigate is mapped to the Full Tunnel Mode portal in VPN SSL Settings. Then you should connect with the FortiClient (not via browser to the Web portal), and after establishing connection with Forticlient, all your traffic (browser or not) will be routed via VPN to the Fortigate. https://docs.fortinet.com/document/forticlient/7.0.0/ios-administration-guide/812478/running-forticl...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Yurisk , thanks again and thanks for your patience. I have exactly done as you stated, but there is no traffic in the browser (just a site). As soon as I disconnect the vpn, the site is responsive. Below are some screenprints, could you please take a look at it if these settings are ok? Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Config looks fine. Worth enabling All Sessions log on the rule ssl.root -> wan1 to see if everything passes as expected and NAT is being done as well. Another thing to check is DNS - may be your resolving does not work with current config, worth setting Specify and say 8.8.8.8 . If all this of no help, next is doing sniffer on FGT diagnose sni pa any 'host <IP of server on the Internet you are trying to reach>' 4, to see if packets are leaving via wan1.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are the best, added DNS and it is working. So simple, too simple :-). Thanks for the excellent help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad to be of any help.
https://www.cyberciti.biz/humour/a-haiku-about-dns/: