Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
harmesh_88
New Contributor

Created on ‎04-23-2015 04:13 AM

New Senario IN IP SEC VPN Remote Client

 We have an requirement from one Client that scenario mentioned below

We have firewall located in Country A and  we have one system in country B which have local ISP Internet .

Fortigate configured with IP Sec VPN Contry A and Forticlient installed in Country B System

when we connected  VPN  internet and LAN of Country A must coming from country A and also that PC also communicate with LAN segment Which is IN Country B.

 

We have configured IP Sec VPN with Split Tunnel we achieved 90 % this requirement internet working from Contry A and LAN also Accessible of Country A but after connection successfully established we are not able to Communicate with local lan of country B 

 

Kindly give solution for fulfill this requirement so i can able to access internet of  Country A and also can connect with our local lan

 

 

Preview file
76 KB
Labels:
3654
0 Kudos
4 REPLIES 4
emnoc
Esteemed Contributor III

Created on ‎04-23-2015 04:35 AM

Will obviously this will not work. You have the 192.168.1.0/24 overlapped for both country A/B LANs. This is why you should never used the defactor can 192.168.1.0/24 in a serious network.

 

If you look at the local host route table  for 192.168.1.0 255.255.255.0 I bet it's point out of the   ppp0 interface  or whatever your virtual adapter is labeled as. Can you confirm if this is the case?

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2248
0 Kudos
harmesh_88
New Contributor

Created on ‎04-23-2015 04:57 AM

Sorry I uploaded wrong image lan ip is not same its different i updated with new jpg

2248
0 Kudos
AndreaSoliva
Contributor III

Created on ‎04-23-2015 06:57 AM

Hi

 

if both networks have no overlapping networks I would check following:

 

- What IP does the FortiClient receive from FortiGate after authentication (ipconfig /all look at the FortiClient VPN Adapter)

- If the received IP from FortiGate does also not overlapp with your networks on both site check routing (FortiClient must be activated and authentication has to be done) which means: What is the routing the FortiClient receives (route print all). You must have on the VPN Adapter of the FortiClient either 0.0.0.0 which means route all traffic though tunnel or a specific IP Range which represents the LAN segment to be reached by FortiClient.

- If you do not have "any" route on the FortiClient did you install the FortiClient with Admin rights? If no deinstall and install new. The Admin rights are neccessary that the route entry can be don.

 

hope this helps

 

have fun

 

Andrea

2248
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎04-23-2015 08:11 AM

All good points from Andrea ( as usual  )  and I would add a local packet sniffer on the "local lan users" to see what's happening at layer2+3 & where your packets are going out of if any. But I bet you have a local route issue.

 

Also make sure the network doesn't collide with any virtual-adapter like that in  vmware player/workstation, etc.... or other vpn adapters.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2248
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.