Hi Harry - I also have a very similar (almost exact) issue as what you are describing. Site A, B, C are setup as a Hub/Spoke VPN configuration (I believe) - Site-A being the Hub and Site B & C are the Spokes. FortiClients remote into Site-A. These FortiClients can access resources (Servers) in Site-A as well as Site-B, however, they can NOT currently access the resources in Site-C. So, what you are trying to do, is done in this network. However, I need to also have these users be able to access the Server in Site-C. This issue only occurs with my Remote (FortiClient) users. The local users (on the LAN segment) at Site-A and Site-B can access the Server in Site-C.
I am currently, trying to figure this out for my client as well. I am currently trying to understand the behavior when the FortiClient remotes into each site, before I take any action. The FortiClients are on a different IP subnet (ex: 172.16.x.y/24) from the Internal/LAN employees (192.168.x.y/24) , so I will need to debug on how the "good" case works (find out which policies are being used) and apply similar policies/routes at Site-C and Site-A... at least this is my approach to finding out how it works between Site-A and Site-B. I will continue to monitor and post if I find anything. Good luck.
Hi sw2090 - Thanks for your insight on this issue. I have reviewed my configuration and I believe you are correct regarding a return route back to the Remote VPN subnet. I have identified that I don't have a static route at site-C, so I will implement that tonight or tomorrow and post the results. Again thanks!
We'll take it step by step:
1. On Site-A, can you do this and post you Site-A's configuration? From CLI, type...for example. Remember your IPSec VPN interface may have a different name. (if you don't know, then after the "config system interface" cmd, the next cmd you can type is "show" and hit Enter key to display all your interfaces:
FGT# config system interface
FGT (interface)# edit IPSec_VPN
FGT (IPSec_VPN) # show
config system interface
set vdom "root"
set ip 169.254.1.1 255.255.255.255
set allowaccess fabric
set type tunnel
set remote-ip 169.254.1.1 255.255.255.255
set snmp-index 4
set interface "wan1"
NOTE: You may not have all the parameters as I have, and they may be different...
That is OK... I just want to understand what you have, so I can try to help.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.