Hi,
We have a vpn site with a Fortigate 60F. We want to share folders and access to applications between some users connected by vpnssl. We added a rule that all clients connected to net VPNSSL_NET, network vpn, have access to same network in all servicies. But when we do, for a example, a ping between clients connected by vpn, it fails.
Do you know how to do to access to shared resources?
Thank you,
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
First, check the firewall policy, in and out interface should be ssl.vdomname interface.
Seconds, disable client built in firewall, ex: windows firewall (pub/priv), UFW (linux).
Hi,
I think that it is how we have and it doesn't works.
Thank you,
Try pinging your VPN client ip from fortigate, if doesn't work, check vpnclient firewall status (windows firewall or UFW), it should be turn off. Try disable NAT as well.
Two things I can think of that would prevent this even the vpn-vpn policy is in place:
1. No route on the FGT for client IPs(subnet)
2. Client IPs are NATed by the policy (the image is cut off before the NAT portion).
Try pinging a client from the FGT while running sniffing and then flow debug. For flow debug you might need to ping from a LAN connected device.
Toshi
Hi,
If we disable Nat in that rule, nothing changes. How we ping from the Fortigate?
Thank you,
From CLI, "exe ping <client_IP>".
But do you have static route for the super-net of all client IPs toward ssl.root interface? If you're using the default range SSLVPN_TUNNEL_ADDR1=10.212.134.200 - 210, at least you need to have a route for 10.212.134.192/28 to ssl.root.
I would remove NAT since I assume you never configured IP for ssl.root interface so if it's NAT(SNAT)ed, I'm not sure what source IP the FGT picks for those packets between clients. Without NAT, everything is between source client IP and destination client IP. So you can set filters for your sniffing to observe ping traffic.
@Toshi_EsumiI think, NAT on unnumbered interfaces just does not NAT at all. I'll have to check that but I'm quite sure I've seen that happen on a VPN link.
Thanks Ede. I should have tested it while sniffing to see the effect of NAT.
Toshi
and I should be sure from what I've seen debugging this week. Which address should NAT use anyway if 'use interface address' is selected and there is no IF address assigned? The most reasonable choice IMHO would be not to use any address at all in this case.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.