Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Iñaki
New Contributor

Share resources between vpn client

Hi,

 

We have a vpn site with a Fortigate 60F. We want to share folders and access to applications between some users connected by vpnssl. We added a rule that all clients connected to net VPNSSL_NET, network vpn, have access to same network in all servicies. But when we do, for a example, a ping between clients connected by vpn, it fails.

Do you know how to do to access to shared resources?

 

Thank you,

 

I
I
12 REPLIES 12
fiesta
New Contributor III

Hi,

 

First, check the firewall policy, in and out interface should be ssl.vdomname interface.
Seconds, disable client built in firewall, ex: windows firewall (pub/priv), UFW (linux).

FWD~
FWD~
Iñaki
New Contributor

Hi,

 

I think that it is how we have and it doesn't works.

Iaki_0-1645047288725.png

Thank you,

I
I
fiesta
New Contributor III

Try pinging your VPN client ip from fortigate, if doesn't work, check vpnclient firewall status (windows firewall or UFW), it should be turn off. Try disable NAT as well.

 

FWD~
FWD~
Toshi_Esumi
SuperUser
SuperUser

Two things I can think of that would prevent this even the vpn-vpn policy is in place:

1. No route on the FGT for client IPs(subnet)

2. Client IPs are NATed by the policy (the image is cut off before the NAT portion).

 

Try pinging a client from the FGT while running sniffing and then flow debug. For flow debug you might need to ping from a LAN connected device.

 

Toshi

Iñaki
New Contributor

Hi,

 

If we disable Nat in that rule, nothing changes. How we ping from the Fortigate?

 

Thank you,

 

I
I
Toshi_Esumi
SuperUser
SuperUser

From CLI, "exe ping <client_IP>".

But do you have static route for the super-net of all client IPs toward ssl.root interface? If you're using the default range SSLVPN_TUNNEL_ADDR1=10.212.134.200 - 210, at least you need to have a route for 10.212.134.192/28 to ssl.root.

 

I would remove NAT since I assume you never configured IP for ssl.root interface so if it's NAT(SNAT)ed, I'm not sure what source IP the FGT picks for those packets between clients. Without NAT, everything is between source client IP and destination client IP. So you can set filters for your sniffing to observe ping traffic.

ede_pfau
SuperUser
SuperUser

@Toshi_EsumiI think, NAT on unnumbered interfaces just does not NAT at all. I'll have to check that but I'm quite sure I've seen that happen on a VPN link.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Toshi_Esumi

Thanks Ede. I should have tested it while sniffing to see the effect of NAT.

 

Toshi

ede_pfau
SuperUser
SuperUser

and I should be sure from what I've seen debugging this week. Which address should NAT use anyway if 'use interface address' is selected and there is no IF address assigned? The most reasonable choice IMHO would be not to use any address at all in this case.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Labels
Top Kudoed Authors