Traffic Routing from Forticlient to remote site to site VPN

Al3x · ‎07-01-2021

Hi, i'm new to the community

I've done many research but i cant find a solution for my case : I want to know how to give access from a forticlient to remote site LAN trough the site to site IPSEC VPN tunnel ?

I have 2 site with dual WAN but set as link failover : so if wan2 goes down, then wan1 will be used

here is what i want to do : [Forticlient range : 10.0.0.1-10.0.1.1] => Site A AND Site B

[Site A LAN 10.50.0.0/26] ========[Site to site VPN (wizzard)] =======[Site B: LAN 10.51.0.0/26]

If i'm on Site A i can reach 10.51.0.0/26 network thanks to the site to site VPN and vice-versa on Site B

When i'm on remote mode using forticlient VPN on my laptop computer, i can access 10.50.0.0/26 but i can't access 10.51.0.0/26

- i've done some tests using IPV4 policy on both sites but nothing works, i can see some packets going to the IPV4 rules i've done but can't ping the server that's on 10.51.0.1 IP

- i'm not using SSL VPN with Foriclient and i'm using Split VPN for the FCLs

- i've try using routes but did nothing

Do you have any ideas ?

i'm using FortiOs v5.2.15 on a 100D and 200D

Markus · ‎07-01-2021

Hi, and welcome to the Forums. Did you have created a route in site B back to SSL Vpn Range? Or you can enable NAT on the policy from site A to site B

________________________________________________________
--- NSE 4 ---
________________________________________________________

Al3x · ‎07-06-2021

Hi Thanks for your reply,

I tried to add some routes from Forticlient VPN to Site to Site VPN, (using policy routing because the Forticlient VPN doesn't show up when try adding static route) but does not work .

I gave an IP to my Forticlient VPN interface, which is 10.200.200.200/255.255.255.255 i tried to ping from this interface to the site B VPN, but does not ping even if i try NAT mode ot not on the 2 Firewalls .

I'm connecting remotely to SITE A using forticlient in VPN IPSEC mode not VPNSSL Mode, maybe the problem comes from this parameter ?

Alexandre

ZPM · ‎08-10-2021

Also make sure you have a firewall policy in place allowing your source VPN network to talk to destination site-B network

ZPM · ‎08-10-2021

Make sure on Site-B your allowing your FortiClient subnet in your Site-to-Site configuration. Then adjust your firewall policies to allow it.

sw2090 · ‎08-13-2021

you basically need these things:

your Client that runs FortiClient for die dial up tunnel must have a route to the remote setups it shuld be able to reach with the peer (=FGT) in VPN as Gateway. In IPSec this can be done using mode config.

The FGT the VPN cnnects to needs to know a route these remote subnets plus it needs to have a policy that allows that traffic.

The other FGT (remote end of the S2S Tunnel) must have a route back to your dial in vpn subnet plus a policy that allows traffic coming from your dial up vpn (but over the S2S) to flow to these subnets.

Reverse Policy is only needed if you want to be able to connect to our dial up client(s) from out of these subnets. It is not needed for answering to requests.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Al3x · ‎11-30-2022

Hi, thanks you for your reply : sorry for the late response, i tried to configure as you suggested, but i seems to be very close to the finish line, the fortinet on site A sends data to fortinet on site B trough forticlient, as i see on the session monitor, but the site's B fortinet seems to be not aware of what is happening from forticlient ( Site A) trough S2S VPN . i added the routes in the route policy like this :

===[SITE A]===

routing policy :

Source interface : Forticlient interface | dest interface : S2S | source 169.254.1.1/255.255.255.255 | dest : 10.51.0.0/26

IPV4 pol :

from : Forticlient VPN interface | To : S2S interface | source : forticlient Site A IP range given by forticlient | dest : remote Site B network 10.51.0.0/22

===[SITE B]===

Incoming S2S interface | Outgoing 10.51.0.0/26 | Source 169.254.1.1/255.255.255.255 | Dest : 10.51.0.0/26

IPV4 pol:
from : S2S interface | to: the local network of SITE B 10.51.0.0/26 | source : 169.254.1.1/255.255.255.255 subnet | Dest: local subnet 10.51.0.0/26

When i run ping to anything that i want to reach in remote subnet site B, the site A FGT IPV4 policy tells me that packets are going trough the rule i've set up, then when i go to fortiview > Session > Destination interface S2S Site A connector i see my IP given by my forticlient if i double click on it, i can see the pings that are being send . The problem is that i cant find any of thoses pings on the Site B FGT :( , it seems that B wont recive the pings

the S2S tunnel is configured to accept 0.0.0.0/0.0.0.0 networks.

i wonder what is wrong , can you please suggest me others ideas ?

EDIT : Tracert shows me that i'm on the forticlient tunnel, then tracert does not what to do with my packet .

route to 10.51.0.62 using 30 hops

1 104 ms 106 ms 106 ms 169.254.1.1 (high ping, using 3G :o )
2 * * * timed out.

3 * * * timed out.