Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
petertalen
New Contributor II

Is this possible?

Hi,

 

I want to connect thru the Fortinet Client (sslvpn) on my iPhone and direct all traffic thru the Fortinet 60E to the Internet. Is this possible? If so, is there somewhere a working example? The manual is not quite clear in this.

 

Thanks,

Peter.

1 Solution
Yurisk
Valued Contributor

Config looks fine.  Worth enabling All Sessions log on the rule ssl.root -> wan1 to see if everything passes as expected and NAT is being done as well. Another thing to check is DNS - may be your resolving does not work with current config, worth setting Specify and say 8.8.8.8 .  If all this of no help, next is doing sniffer on FGT diagnose sni pa any 'host <IP of server on the Internet you are trying to reach>' 4, to see if packets are leaving via wan1. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

View solution in original post

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
15 REPLIES 15
Yurisk
Valued Contributor

Hi, yes, that’s possible 

  • do NOT enable Split Tunnel in VPN Settings
  • Create security rule:

src int: ssl.root

dst int: the one connecting your fortigate to internet 

src addr: you vpn pool

dst addr: all

service: all

nat: enable

 

i dont have example at hand. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
petertalen
New Contributor II

Thanks @Yurisk , I have done that, I am able to see the Fortinet login page and do a login over VPN from the Internet, but I am not able to surf from the VPN on my iphone to the Fortinet back to the Internet. In the forward traffic, I do only see accepted traffic, but nothing in Chrome on my iphone and it times out. Any clue?

gfleming

Just to confirm are you using the FortiClient VPN app on your phone or are you connecting to the Web SSL portal using a browser?

Cheers,
Graham
petertalen
New Contributor II

Thanks @gfleming, I didn't test it like this and it is working via the browser. However I am looking for another option, because I want to have all traffic from my phone thru the vpn, so network traffic from an app (not a browser :) ) is also going thru the vpn. Is this possible?

Yurisk
Valued Contributor

You will need to make sure that your user/group on the Fortigate is mapped to the Full Tunnel Mode portal in VPN SSL Settings. Then you should connect with the FortiClient (not via browser to the Web portal), and after establishing connection with Forticlient, all your traffic (browser or not) will be routed via VPN to the Fortigate. https://docs.fortinet.com/document/forticlient/7.0.0/ios-administration-guide/812478/running-forticl... 

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
petertalen
New Contributor II

Hi @Yurisk , thanks again and thanks for your patience. I have exactly done as you stated, but there is no traffic in the browser (just a site). As soon as I disconnect the vpn, the site is responsive. Below are some screenprints, could you please take a look at it if these settings are ok? Thanks.1.png2.png3.png

Yurisk
Valued Contributor

Config looks fine.  Worth enabling All Sessions log on the rule ssl.root -> wan1 to see if everything passes as expected and NAT is being done as well. Another thing to check is DNS - may be your resolving does not work with current config, worth setting Specify and say 8.8.8.8 .  If all this of no help, next is doing sniffer on FGT diagnose sni pa any 'host <IP of server on the Internet you are trying to reach>' 4, to see if packets are leaving via wan1. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
petertalen
New Contributor II

You are the best, added DNS and it is working. So simple, too simple :-).  Thanks for the excellent help! 

Yurisk
Valued Contributor

Glad to be of any help.

https://www.cyberciti.biz/humour/a-haiku-about-dns/: 

Its-not-DNS.-There-is-no-wayits-DNS.-It-was-DNS

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Labels
Top Kudoed Authors