Hello,
pretty new to networking so excuse me if my question is basic.
I have the following configuration:
Main site A where a fortigate router/fw is located.
Offsite B where a few VM's with apps are hosted.
Several store sites.
99% of users in the company use the built in Windows VPN with the RRAS server located on main site A. However, a few users often have issues with the VPN and to avoid constantly troubleshooting it I figured why not use FortiVPN as it is already configured (by the previous MSP). It has IPSec tunnels to the stores and to offsite B, windows VPN users have no issues connecting to the apps on site B.
So i connect to main site A with fortivpn and i can access all the resources on site A but i cant ping site B or access anything there. Site A and B are naturally in a completely different subnet. FortiVPN users are assigned an IP from a completely unrelated pool (even if i change the IP add Are there any specific things I can troubleshoot?
IPSec tunnel from site A to B is up and running. Firewall policies are in place that allow SSLVPN users to access site B resources from internal interface.
Hello,
Just to confirm, do you have a policy created to allow the other subnet when connecting via SSL VPN tunnel?
Created on 03-16-2022 05:00 AM Edited on 03-16-2022 05:01 AM
Hey,
could you elaborate a bit further what exactly I'd need to check and where please?
I have a Firewall Policy set right now like this:
From: SSL-VPN Tunnel
To: Internal and Site B
Source: all and SSLVPN users
Destination: server on site B
Schedule: always
Service: ALL
Action : Accept
NAT: Disabled
Security profiles: SSL- no inspection
Hi, do you have IPsec proxy IDs configured to include SSL VPN Pool? You can check it in phase2 configuration under "local subnet" and "remote subnet"
Do you have related static routes in both sides for tunneled networks?
Hi Taske,
Policies to allow traffic between SSL VPN to IPSEC VPN on Site A and to allow traffic from IPSEC VPN to the resource on site B.
Phase 2 selectors for the IPSEC VPN now must include the SSL VPN IP pool.
A route is needed on site B towards site A through IPSEC VPN for the SSL VPN IP pool.
You may collect a flow debug to check where the packet drops:
diagnose debug reset
diagnose debug flow filter addr <SSL VPN tunnel IP of the user>
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable
Regards,
Ive added the IP Pool to Phase 2 selectors.
To clarify, Site B is a rented VM cluster where some apps are hosted so i have no access to the networking segment.
Another source notified me that NAT might be a problem?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1758 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.