Hello!
I have a FortiClient 5.6.5 on Windows 7 x64 and a connect parameters for IPSec VPN.
The VPN connect is work. But, when VPN-connect is up, I lost a connect with all my hosts on local network. The input (listening) connects to my host not work too. The Internet work is fine.
Now I can’t work with my computer without local resource and can’t install FortiClient on the server machine as the outside not have access to VPN-reaources.
My network when the VPN is not connected (host with VPN is 10.1.2.18):
Network Mask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.1.2.1 10.1.2.18 11
10.1.2.0 255.255.255.0 On-link 10.1.2.18 266
10.1.2.18 255.255.255.255 On-link 10.1.2.18 266
10.1.2.255 255.255.255.255 On-link 10.1.2.18 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.1.2.18 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.1.2.18 266
ping to Internet-resource - succesful
ping to 10.1.2.19 - succesful
nmap to this host of outside host:
$ nmap 10.1.2.18
Starting Nmap 7.40 ( [link]https://nmap.org[/link] ) at 2018-02-14 19:00 MSK
Nmap scan report for 10.1.2.18
Host is up (0.0038s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2522/tcp open windb
3306/tcp open mysql
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds
My network when the VPN is connected:
0.0.0.0 0.0.0.0 10.1.2.1 10.1.2.18 11
0.0.0.0 0.0.0.0 192.168.121.2 192.168.121.1 2
10.1.2.0 255.255.255.0 On-link 10.1.2.18 266
10.1.2.18 255.255.255.255 On-link 10.1.2.18 266
10.1.2.255 255.255.255.255 On-link 10.1.2.18 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.121.1 255.255.255.255 On-link 192.168.121.1 257
100.100.100.100 255.255.255.255 10.1.2.1 10.1.2.18 10
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.1.2.18 266
224.0.0.0 240.0.0.0 On-link 192.168.121.1 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.1.2.18 266
255.255.255.255 255.255.255.255 On-link 192.168.121.1 257
ping to Internet-resource - succesful
ping to 10.1.2.19 - failed
nmap to this host of outside host:
$ nmap 10.1.2.18 -Pn
Starting Nmap 7.40 ( [link]https://nmap.org[/link] ) at 2018-02-14 19:00 MSK
Nmap scan report for 10.1.2.18
Host is up.
All 1000 scanned ports on 10.1.2.18 are filtered
Nmap done: 1 IP address (1 host up) scanned in 201.27 seconds
I see a two default gateway, but my attempts fixed this is not succesful.
I have no idea who I can reduce security setting at VPN-connect is up. I need to have access to outside of my host and/or access to host of outside hosts.
I can’t have access to the VPN-server Forti. My tools is FortiClient only.
Can you help me?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
if I understood your question correctly your devices in local subnet are not reachable when you are connected with FortiClient VPN?
Are you using SSL or IPSec Dialup VPN? Should it be IPSec, change your Phase1 configuration in CLI:
#config vpn ipsec phase1-interface
edit "YOUR-PHASE1-VPN-TUNNEL-NAME" (upper and lower cases must be correctly!) set include-local-lan enable next
end
Yes, you understood is right.
I use IPSec VPN. How I can to connect to CLI in the FortiClient?
You have to connect to your Fortigate via CLI like PuTTY.
FortiClient don't need any changes :)
I have not access to Fortigate.
I have only a downloaded Forticlient programm and IP-address of VPN-server with login/password. This is all.
Actually, there is a setting locally in the FortiClient config...but I cannot guarantee that this setting will be effective. It might well be that the VPN server's setting will override it (at least that would make sense).
So, in FC, use
'File' menu, 'settings'
'System', 'back up complete configuration'
This will export the FC config as an XML file (editable with any text editor).
Look for
<vpn>
<ipsecvpn>
<connections>
<connection>
...
<enable_local_lan>1</enable_local_lan>
If the setting is '0' instead, change it to '1'. If the line doesn't exist, add it.
Then, save the file and restore it to FC.
Shut down FC, restart it and test.
Yes! This is work!
I to edit cfg-file how you said and now I can to connect to other hosts in subnet (but can't to connect to hosts in other subnet, but it's fine for me)
Work ping, telnet, ssh, etc
Thanks you very match! And sorry for my bad English)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.