Server IP address could not be found for IPsec VPN Remote Access

pxiannie · ‎02-29-2024

Hi, I'm trying to remote access to local lan using forticlient. I'm able to connect to IPsec VPN and ping 192.168.1.1 but cannot ping my server ip address and access to local server. Is there any problem for my settings? My server ip address also one of the range in Local-LAN but why I cannot ping my server? Please help.

Regards,

abarushka · ‎02-29-2024

Hello,

You may consider to collect debug flow and traffic sniffer while pinging unreachable server:

Debug flow:

diagnose debug flow filter daddr <server IP address>
diagnose debug flow filter proto 1
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable

Traffic sniffer:

diagnose sniffer packet any 'icmp and host <server IP address>' 4 0 a

FortiGate

pxiannie · ‎03-06-2024

Hi @abarushka ,

I have run the debug flow and traffic sniffer. What does it means?

Debug flow:

Traffic sniffer:

Regards,

abarushka · ‎03-07-2024

Hello,

On firewall side everything looks good. I can see that firewall policy 7 is matched. ICMP packet is received (TONY-VPN) and sent out (interface lan). However firewall doesn't receive ICMP reply.

I would recommend to check whether ICMP is filtered (server OS firewall) on server side.

FortiGate

pxiannie · ‎03-07-2024

Hi @abarushka ,

I'm able to ping my server ip address after enabled all the NAT for policy but still not able to ping my server name. If can ping server ip address that means the ICMP are not filtered on server side right?

Regards,

ebilcari · ‎02-29-2024

Is the server IP part of the subnet 192.168.1.x and does it use .1 as the gateway (or as a next hop in a route to reach the VPN subnet)? Check also the firewall of the server if it has any specific rule that allows or block based on source IP. If NAT is not enabled on the policy, the requests will be sourced by the IP of the VPN client.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

pxiannie · ‎03-06-2024

Hi @ebilcari ,

Yes the server IP is part of the subnet 192.168.1.x and 192.168.1.1 is the default gateway used to access the GUI of a Fortinet firewall. I think the firewall of server only allow local lan subnet to access, does it mean that I need to set all the firewall policy to enabled NAT?

Regards,

ebilcari · ‎03-07-2024

From security perspective, it is not recommended because the source IP of the client will be hidden to the server but if that is the only way you can configure the policy to NAT the client requests with the IP of the FGT 192.168.1.1.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

pxiannie · ‎03-07-2024

Hi @ebilcari ,

I'm able to ping my server ip address after enabled all the NAT for policy but still not able to ping the server name. As my LAN-to-SDWAN are originally set to enabled NAT, I can only modified others policy. But I found that if one of the policy NAT is disabled then the server ip not able to ping ady, is that correct?

Regards,

ebilcari · ‎03-08-2024

In order to ping by name, a DNS server should be able to resolve the name into the IP of the server. This is not related to network reachability or NAT-ing the traffic, most probably different network segments use their own DNS servers.

If the server firewall will accept connections only from the subnet 192.168.1.x and that can't be changed, than the only possibly way of communication is to source NAT the requests with the FGT IP.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.