Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Site to Site VPN combined with VPN client
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site to Site VPN combined with VPN client
Hi, I do not know if anyone has tried this or that I'm implementing this wrong;
I have a customer with 2 sites with 2 Fortigates, connected with a site-to-site IPSec VPN connection.
At the office:
At site A i have a Domain Controller, users can access data on site B, everyone at the office is happy
At site B i have a Domain Controller, users can access data on site A, everyone at the office is happy
Now users who are outside the buildings:
What we want is that a user connects remotely to site A (using the VPN Client on a Windows system) can access data at site B.
For now they disconnect site A and connect to site B, but can this be done without this step?
I hope you understand what I mean by this?
I've already searched these forums in hope to find anyone with the same setup but am not able to find any cases..
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Harry - I also have a very similar (almost exact) issue as what you are describing. Site A, B, C are setup as a Hub/Spoke VPN configuration (I believe) - Site-A being the Hub and Site B & C are the Spokes. FortiClients remote into Site-A. These FortiClients can access resources (Servers) in Site-A as well as Site-B, however, they can NOT currently access the resources in Site-C. So, what you are trying to do, is done in this network. However, I need to also have these users be able to access the Server in Site-C. This issue only occurs with my Remote (FortiClient) users. The local users (on the LAN segment) at Site-A and Site-B can access the Server in Site-C.
I am currently, trying to figure this out for my client as well. I am currently trying to understand the behavior when the FortiClient remotes into each site, before I take any action. The FortiClients are on a different IP subnet (ex: 172.16.x.y/24) from the Internal/LAN employees (192.168.x.y/24) , so I will need to debug on how the "good" case works (find out which policies are being used) and apply similar policies/routes at Site-C and Site-A... at least this is my approach to finding out how it works between Site-A and Site-B. I will continue to monitor and post if I find anything. Good luck.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
side a and side b must have static route to each other and to the vpn subnet (on side b with FGT on side a as gw).
Then you need policies to allow the traffic.
I'd also recommend to enable split tunneling on the dial in vpn because without the complete interet traffic of the client will go through side a.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sw2090 - Thanks for your insight on this issue. I have reviewed my configuration and I believe you are correct regarding a return route back to the Remote VPN subnet. I have identified that I don't have a static route at site-C, so I will implement that tonight or tomorrow and post the results. Again thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sw2090 - Yes, you nailed it. Create static route; create FW policies and all is working as expected. Thanks! Gave you 5-kudos!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ernest_louie,
Glad you got your config working.
I have exactly the same issue as you did:
Site A to Site B have a permanent vpn tunnel that is working both ways.
I have dialUP IPSec VPN tunnel with it's own subnet set-up on Site A FG that is allowing access to the LAN at site A and this is working fine. The associated policy for this has NAT enabled.
I also need users to also be able to access site B LAN via this dialUP VPN, but this is not working.
On site A FG, I have added:
- Static route to route traffic for dialUP VPN subnet to be routed to the dialup VPN Tunnel interface.
- Policy from dialUP VPN interface to Tunnel interface between site A and B with NAT enabled.
- Policy from Site A to B Tunnel interface to dialUP VPN interface with NAT enabled.
On site B FG:
-Static route to route traffic for dialUP VPN subnet to be routed through the VPN Tunnel interface between site A and B.
-Policy from Tunnel interface between site A and B to LAN with NAT enabled for the dialUP VPN subnet.
-Policy from LAN interface to Tunnel interface between site A and B with NAT enabled for the dialUP VPN subnet.
What am I missing or need to change?
I would be really grateful if you would please direct me to how I can get this working like your scenario.
Thanks in advance.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi it@towpt.com
We'll take it step by step:
1. On Site-A, can you do this and post you Site-A's configuration? From CLI, type...for example. Remember your IPSec VPN interface may have a different name. (if you don't know, then after the "config system interface" cmd, the next cmd you can type is "show" and hit Enter key to display all your interfaces:
FGT# config system interface
FGT (interface)# edit IPSec_VPN
FGT (IPSec_VPN) # show
config system interface
edit "IPSec_VPN"
set vdom "root"
set ip 169.254.1.1 255.255.255.255
set allowaccess fabric
set type tunnel
set remote-ip 169.254.1.1 255.255.255.255
set snmp-index 4
set interface "wan1"
next
end
NOTE: You may not have all the parameters as I have, and they may be different...
That is OK... I just want to understand what you have, so I can try to help.
- Ernie
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ernest_louie,
Thank you so much for taking the time to reply!
The output I get is :
For the Site to Site (A-B) VPN:
config system interface edit "SiteA-SiteB" set vdom "root" set type tunnel set snmp-index 17 set interface "wan1" next end
For the Dialup:
edit "IPS-VPN_DU" set vdom "root" set ip 169.254.1.4 255.255.255.255 set allowaccess fabric set type tunnel set remote-ip 169.254.1.4 255.255.255.255 set snmp-index 22 set interface "wan1" next
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also have the same problem, I tried many ways to route but it still doesn't work, maybe I'm not doing it right can anyone help me.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in the static route:
destination: 0.0.0.0/0.0.0.0
gateway: 0.0.0.0
interface: tunnel vpn site to site
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiEMS and AutoConnect/AlwaysUP 34 Views
- Remove auto save feature on the... 59 Views
- SSLVPN on VDOM 394 Views
- Custom DNS is not working with... 213 Views
- Client Windows Remove DHCP due to... 57 Views
Labels
-
FortiGate
8,463 -
FortiClient
1,712 -
5.2
801 -
FortiManager
710 -
5.4
639 -
FortiAnalyzer
547 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
219 -
FortiWeb
199 -
5.0
196 -
IPsec
185 -
FortiNAC
176 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
44 -
FortiSandbox
43 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
32 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1660 | |
| 1073 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.