Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kaplan
Contributor

Created on ‎03-26-2022 11:14 PM Edited on ‎03-26-2022 11:28 PM

To reach other Networks with Forticlient VPN Connections

Dear Poeple,

Nice Sunday first:-)
I put a picture to explain my behaviour better.

I want connect with a forticlient to FG1 to reach their network and reach the Network from FG2 too.

FG1 und FG2 have side to side VPN connections.

I can ping only the FG1 networks and cannot reach the FG2 networks like in picture to the network 192.168.4.0/24.
Does it possibele to reach other Networks with a Forticlient over VPN Connection or not?

 

Phase 2 all FGs and FortiClient Network are 0.0.0.0/0.0.0.0 typed
In FortiClient VPN Connections are both Network (192.168.4.0 and 192.168.5.0) typed.

In FG 1 is a policy

incomming: FortiClientVPN

outgoing: internal, VPN Connection to FG2

incomming Network: all

outgoing Network: 192.168.4.0 and 192.168.5.0

Split Tunneling ist activated


Thanx in advantage

Kaplan_0-1648361385802.png

 

Labels:
4454
0 Kudos
2 Solutions
vdralio
Staff
Staff

Created on ‎03-27-2022 02:56 AM

Dear Kaplan,

 

You can check the article below if you have dial-up VPN users that want to reach a local subnet through S2S VPN:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dialup-IPsec-traffic-forwarding-to-site-to...

 

Best Regards,

Vasil Dralio

View solution in original post

4426
sw2090
SuperUser
SuperUser

Created on ‎03-29-2022 05:15 AM Edited on ‎03-29-2022 05:19 AM

it is possible even with IPSec FortiClient VPN. You just need Policies on  both FGT to allow the traffic and routing back to the vpn probably.

And you should enable split tunneling to have the FortiClient push a route to those subnets to the client. It would work without too but then ALL your traffic would go through the tunnel.

 

So in your case that would mean:

 

the dial up vpn on the 192.168.5.0 FGT should have split tunneling enabled with 192.168.5.0/24 and 192.168.4.0/24 as subnets (and p2 selectors set to 0.0.0.0/0.0.0.0).

This FGT then must have a route to 192.168.4.0/24 and a policy allowing traffic coing from the vpn to flow to 192.168.4.0/24.

 

The FGT in 192.168.4.0 has to have Policy that allows traffic coming from the vpn via the 192.168.5.0 FGT to flow to 192.168.4.0. Also it has to have a route back to the vpn net because without you will never get an answer to your packets :)

 

With all that set it should work.

 

You do not need reverse policies on both FGT as long as you don't want to be able to connect to a vpn client from out of 192.168.5.0/24 or 192.168.4.0/24.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
4373
5 REPLIES 5
vdralio
Staff
Staff

Created on ‎03-27-2022 02:20 AM

Dear Kaplan,

 

Wish you also a nice Sunday :)

 

Yes, it is possible to access the local network from SSLVPN going through S2S VPN.

Please check the article below:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/45836/ssl-vpn-to-ipsec-vpn

 

Best Regards,

Vasil Dralio

 

4387
0 Kudos
Kaplan
Contributor
In response to vdralio

Created on ‎03-27-2022 02:29 AM

Dear Vasil,

thanx for this link. I will check it. The first what I see, that this Forticlient is configured over SSL. My FortiClient is configured over IPSEC. Must I connect over SSL VPN with the FortiClient or does it not depend of SSLVPN or IPSEC VPN?

 

4384
0 Kudos
vdralio
Staff
Staff

Created on ‎03-27-2022 02:56 AM

Dear Kaplan,

 

You can check the article below if you have dial-up VPN users that want to reach a local subnet through S2S VPN:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dialup-IPsec-traffic-forwarding-to-site-to...

 

Best Regards,

Vasil Dralio

4427
sw2090
SuperUser
SuperUser

Created on ‎03-29-2022 05:15 AM Edited on ‎03-29-2022 05:19 AM

it is possible even with IPSec FortiClient VPN. You just need Policies on  both FGT to allow the traffic and routing back to the vpn probably.

And you should enable split tunneling to have the FortiClient push a route to those subnets to the client. It would work without too but then ALL your traffic would go through the tunnel.

 

So in your case that would mean:

 

the dial up vpn on the 192.168.5.0 FGT should have split tunneling enabled with 192.168.5.0/24 and 192.168.4.0/24 as subnets (and p2 selectors set to 0.0.0.0/0.0.0.0).

This FGT then must have a route to 192.168.4.0/24 and a policy allowing traffic coing from the vpn to flow to 192.168.4.0/24.

 

The FGT in 192.168.4.0 has to have Policy that allows traffic coming from the vpn via the 192.168.5.0 FGT to flow to 192.168.4.0. Also it has to have a route back to the vpn net because without you will never get an answer to your packets :)

 

With all that set it should work.

 

You do not need reverse policies on both FGT as long as you don't want to be able to connect to a vpn client from out of 192.168.5.0/24 or 192.168.4.0/24.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
4374
Kaplan
Contributor
In response to sw2090

Created on ‎03-29-2022 06:52 AM

Dear SW2090,

 

thanx for your post.
I had before the IPSEC Connection between 2 FGTs with p2 selectors to set to 0.0.0.0/32. Only the policys and the backroutes to the FortiClient IP was not ready.
So does it function.
Only one thing is for me mysterious.
If I use sniffing on FG, I see the incomming Host (with the forticlient IP) but only for few packets and then there are no flow to see an sniffe like dia sys snif pack any 'host 192.168.250.5' 4 0 a

Best wishes

4318
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.