Hi, I do not know if anyone has tried this or that I'm implementing this wrong;
I have a customer with 2 sites with 2 Fortigates, connected with a site-to-site IPSec VPN connection.
At the office:
At site A i have a Domain Controller, users can access data on site B, everyone at the office is happy
At site B i have a Domain Controller, users can access data on site A, everyone at the office is happy
Now users who are outside the buildings:
What we want is that a user connects remotely to site A (using the VPN Client on a Windows system) can access data at site B.
For now they disconnect site A and connect to site B, but can this be done without this step?
I hope you understand what I mean by this?
I've already searched these forums in hope to find anyone with the same setup but am not able to find any cases..
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Harry - I also have a very similar (almost exact) issue as what you are describing. Site A, B, C are setup as a Hub/Spoke VPN configuration (I believe) - Site-A being the Hub and Site B & C are the Spokes. FortiClients remote into Site-A. These FortiClients can access resources (Servers) in Site-A as well as Site-B, however, they can NOT currently access the resources in Site-C. So, what you are trying to do, is done in this network. However, I need to also have these users be able to access the Server in Site-C. This issue only occurs with my Remote (FortiClient) users. The local users (on the LAN segment) at Site-A and Site-B can access the Server in Site-C.
I am currently, trying to figure this out for my client as well. I am currently trying to understand the behavior when the FortiClient remotes into each site, before I take any action. The FortiClients are on a different IP subnet (ex: 172.16.x.y/24) from the Internal/LAN employees (192.168.x.y/24) , so I will need to debug on how the "good" case works (find out which policies are being used) and apply similar policies/routes at Site-C and Site-A... at least this is my approach to finding out how it works between Site-A and Site-B. I will continue to monitor and post if I find anything. Good luck.
side a and side b must have static route to each other and to the vpn subnet (on side b with FGT on side a as gw).
Then you need policies to allow the traffic.
I'd also recommend to enable split tunneling on the dial in vpn because without the complete interet traffic of the client will go through side a.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi sw2090 - Thanks for your insight on this issue. I have reviewed my configuration and I believe you are correct regarding a return route back to the Remote VPN subnet. I have identified that I don't have a static route at site-C, so I will implement that tonight or tomorrow and post the results. Again thanks!
Hi sw2090 - Yes, you nailed it. Create static route; create FW policies and all is working as expected. Thanks! Gave you 5-kudos!
Hi @ernest_louie,
Glad you got your config working.
I have exactly the same issue as you did:
Site A to Site B have a permanent vpn tunnel that is working both ways.
I have dialUP IPSec VPN tunnel with it's own subnet set-up on Site A FG that is allowing access to the LAN at site A and this is working fine. The associated policy for this has NAT enabled.
I also need users to also be able to access site B LAN via this dialUP VPN, but this is not working.
On site A FG, I have added:
- Static route to route traffic for dialUP VPN subnet to be routed to the dialup VPN Tunnel interface.
- Policy from dialUP VPN interface to Tunnel interface between site A and B with NAT enabled.
- Policy from Site A to B Tunnel interface to dialUP VPN interface with NAT enabled.
On site B FG:
-Static route to route traffic for dialUP VPN subnet to be routed through the VPN Tunnel interface between site A and B.
-Policy from Tunnel interface between site A and B to LAN with NAT enabled for the dialUP VPN subnet.
-Policy from LAN interface to Tunnel interface between site A and B with NAT enabled for the dialUP VPN subnet.
What am I missing or need to change?
I would be really grateful if you would please direct me to how I can get this working like your scenario.
Thanks in advance.
Hi @ernest_louie,
Thank you so much for taking the time to reply!
The output I get is :
For the Site to Site (A-B) VPN:
config system interface edit "SiteA-SiteB" set vdom "root" set type tunnel set snmp-index 17 set interface "wan1" next end
For the Dialup:
edit "IPS-VPN_DU" set vdom "root" set ip 169.254.1.4 255.255.255.255 set allowaccess fabric set type tunnel set remote-ip 169.254.1.4 255.255.255.255 set snmp-index 22 set interface "wan1" next
I also have the same problem, I tried many ways to route but it still doesn't work, maybe I'm not doing it right can anyone help me.
in the static route:
destination: 0.0.0.0/0.0.0.0
gateway: 0.0.0.0
interface: tunnel vpn site to site
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.