Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ForgetItNet
Contributor

SSL VPN between 2 Fortinets but can't connect to anything on the "client" side

Hi all,

 

I've setup a 60F router as an SSL client to connect via SSL VPN to our Head Office router (100F) and this works fine from the client side of the network in that I can plug a laptop into the 60F client router and browse to all the network devices I need to on the Head Office side which is great however I can't browse the other way ? I've tried adding static routes to our Head Office router to point to the subnet on the client side but it just will not route through ? I've tried a traceroute and it just times out on all results and the routing table shows that remote/client subnet is in there (192.168.210.0) and shows it as directly connected, ssl root. [1/0] if i leave the static route in so it looks like it know where to send the traffic ?

There is already a Firewall rule at the Head Office to allow data from anything with an SSLVPN Tunnel address through.

Is this going to be a purely routing issue I need to figure out or is there something "special" I need to add as it's a client/subnet BEHIND another router (as opposed to just a laptop using the VPN client on a laptop for example) ?

3 REPLIES 3
knaveenkumar
Staff
Staff

Hi,

 

please check both sides ssl vpn subnets allowed in the policy 

check the routing table details where the source and destination is learning 

get router info routing table details x.x.x.x

 

For better understanding you can run the debug flow and check 

 

 

ForgetItNet
Contributor

Thanks knaveenkumar,

I've got a firewall policy on each side and these are both set to allow all source and all destination (while i test it) so DO you mean the firewall policy with regards to the subnets ?

also the routing table on the head office/server side shows the 192.168.29.0 subnet (which is what the server side router gives the SSL clients) as connected to ssl root and on the client side it shows the 192.168.20.0 subnet (which is the main server side subnet) as also connected to the ssl root so it DOES look like it knows where it all is ?

 

 

 

ForgetItNet
Contributor

I've just done some more packet captures and noticed that the ping from the head office/server router DOES actually get to the client router however it's not coming from the lan IP of the head office router (as i searched for in the previous capture) but it's coming from what looks like our BGP hub IP address of 10.10.10.1 ? We have other sites using iPSEC and they have assigned BGP routes of 10.10.10.x so could this be it as 10.10.10.1 is not in the routing table but if i add it as a static then it still doesn't show up in there ?

Labels
Top Kudoed Authors