Hi friends,
perhaps someone can help. I have two Fortigates connected via site-to-site vpn.
From both networks, Site A and B, i can reach the networks.
My dial-up users inform me, that they can't reach the site b network. With their dial-up connection, they will be connected to site a. In my opinion, this is based on the split tunnel. The policies are correct, i think. I could imagine, this a problem of a missing route but i am not sure on which position, on the client it self or on the fortigate?
I think the client doesn't know, how to reach the site b network...
When i do a trace i can see that no traffic for the site b network will go through the dial-up tunnel .
Do you have any ideas?
Best regards
Sebastian
the client bascially first of all needs to have a route that tells it which way to reach side b network. Split tunneling should push routes to the subnets specified there to your client.
However especially with forticlient I ran into several cases where it simply did not do that in specific pairs for forticlient and fortios versions. Mostly it started working again upon updating forticlient to a new enough version.
So you might ask a user on the dial up vpn to establish vpn connection and then send you the output of cmd command "route print" (on windows) or route -n (on linux) or netstat -rn (on macos x) and see if it has a route to side b subnet with the correct gateway and interface.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hey Sebastian,
after checking the routing as sw2090 suggested, you could verify what split-routing addresses you have set in the VPN settings on FortiGate.
You should also consider:
-> you need a policy from dial-up VPN to site-to-site VPN
-> if you don't apply NAT in this policy, you need to include the dial-up IP range in phase2 selectors, and add appropriate routing and policies on the remote side
Dear Sebastian,
Please take a look at the documentation below for detailed information on how to configure and you can compare it with what you have done until now:
Best Regards,
Vasil Dralio
Hi sw2090 and Debbie,
i was able to solve my problem. sw2090 i had the same thought that the client doesn't have the route. That was true, the route wasn't available on the client.
I missed to add on the dial-up vpn connection the side b network as accessable network. For that, the hint from Debbie because of the Phase 2 Selector was good.
Thanks to both of you. VPN is sometimes counterintuitive, so it helps to talk about it.
Best reagrds
Sebastian
Glad we were able to help :)
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.