I am seeking help with a problem that I cannot understand. One of our staff members has a subnet at home that matches our subnet at work, being 192.168.0.x/24.
Normally I would dismiss this out of hand as likely to cause routing problems and so forth. This user is a QA person and therefore uses a PC, Android device, and iOS device as part of her workflow, to connect to resources in our corporate network.
Using Forticlient on each of these devices, the PC works (despite the overlapping subnet), Android works (depite the overlapping subnet), but iOS does not work.
In the iOS case it is not using the corporate DNS and it is not routing traffic to the corporate LAN.
I know the usual recommendation is to renumber the corporate subnet, but I am also reticent to do that because it is ultimately just a symptomatic fix until we get another conflict.
Any ideas on how to troubleshoot or what settings might be available to assist. We have split tunnelling enabled for VPN users. I tried setting up a different VPN portal for this user and turned off split tunnelling, but that resulted in none of her devices being able to route traffic (although this could be a misconfiguration error on my part).
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Try to set a dns-suffix for you internal domain on the vpn settings. Sometimes iOS gets picky if there is not DNS suffix provided:
config vpn ssl settings
set dns-suffix "youdomain.fqdn"
end
Thanks for the idea -- unfortunately we already have DNS suffixes defined.
what about setting up another portal for the user to use that has a backup subnet to use? You could do it either with multiple realms (a different url) so everyone connects to the main one unless there is a conflict then they can go with the backup portal.
Can you explain this a little further, please? Are you implying that the firewall would do some kind of address translation from the "backup subnet" onto the "real" corporate subnet (and vice-versa)? Do you have any solution for DNS that doesn't require an entirely different DNS server?
Take a look at this guide done by a Fortinet SE:
https://infosecmonkey.com/deploying-ssl-vpns-using-multiple-realms/
You could setup the realm for a different SSL-VPN IP Pool that doesn't conflict and everyone else could use the main one.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1516 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.