Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gstefou
New Contributor II

Created on ‎01-23-2025 01:10 AM

Unable to access LAN Using IPSec while connected to the Guest WiFi

I'm having an issue with devices accessing internal netowrk equipment using IPSec VPN and connected to the Guest WiFi of the same Firewall we're trying to remote in. 

 

Some details about the setup, we have a firewall in place and we're broadcasting LAN and Guest WiFi SSIDs.

The Guest WiFi is isolated and can only reach the internet with some webfiltering and ssl inspection.

Devices that are connected to the Guest WiFi cannot communicate with the LAN Network, setup by a Firewall policy.

 

Dialup IPSec VPN has been setup so the remote users can access a spesific server to the internal network (LAN).

This is working as a charm when we're using mobile hotspot or another ISP connection outside the office's building.

 

The problem is when we're at the office we have some personal devices we have to connect to the Guest WiFi for security purposes and althought we're able to esablish a connection using our Dialup IPSec VPN our computers cannot reach the spesified server on the internal network.

Looking on the logs, we found that the traffic is directed throught the Guest WiFi instead of the IPSec VPN Tunnel.

 

We have tried the same setup on mutliple FortiOS Versions from 7.2 all the way up to latest. 

On the client side, we're using FortiClientVPN on the latest version. We have also tried a couple versions back.

 

Is there anyone experiencing the same issue ?

Any thoughts on what should be going wrong ? 

 

!Disclaimer! I know we can put a firewall policy to allow access from the Guest WiFi to the server on the internal network but, that's a cerious security vulnerability. 

Labels:
812
0 Kudos
15 REPLIES 15
srajeswaran
Staff
Staff

Created on ‎01-23-2025 01:28 AM

On you VPN setup, which route are you pushing to clients? Are you pushing specific route for the protected resource or a default route to force all traffic to go via VPN (dst-subnet under config vpn ipsec phase2-interface)

You mentioned the logs indicating traffic coming via GuestWifi instead of DVPN, mostly due to the same route active system is using Wifi instead of tunnel route.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
615
gstefou
New Contributor II
In response to srajeswaran

Created on ‎01-23-2025 04:45 AM

The dst-subnet on ipsec phase2-interface is 0.0.0.0\0.0.0.0. 

Do you think we have to static this out to look on the internal network subnet ?

598
0 Kudos
srajeswaran
Staff
Staff
In response to gstefou

Created on ‎01-23-2025 04:50 AM Edited on ‎01-23-2025 04:51 AM

Yes, 0.0.0.0 means the client is getting another default route. Change to a specific subnet for the protected resource and then test the connection.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
589
gstefou
New Contributor II
In response to srajeswaran

Created on ‎01-24-2025 01:47 AM

Suraj, 

 

I tried the changes on dst-subnet on ipsec phase2 interface and wasn't able to connect to the VPN at all after. 

Maybe i need to do some research on where i need to point the destination to look at. 

527
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to gstefou

Created on ‎01-25-2025 01:46 PM

Hi @gstefou ,

 

Please note:

 

The src-subnet is the network protected by FGT;

The dst-subnet is the subnet behind the remote IPsec VPN endpoint. In your case, it is the subnet to which your FCT IP belongs.

Regards,

Jerry
387
AEK
SuperUser
SuperUser

Created on ‎01-23-2025 04:49 AM

It looks like a routing issue on your client host.

There is probably a route on your guest client that is forwarding traffic destined to your server through the WiFi's gateway.

AEK
AEK
594
gstefou
New Contributor II
In response to AEK

Created on ‎01-24-2025 01:53 AM

AEK, 

 

I tried the same on another laptop i had with the exact same setup and it was having the same problem again. 

 

You are right, all the traffic from the computers for some reason gets forwarded from the Guest WiFi gateway. 

I looked on the route table on both of the computers and i saw that the VPN tunnel creates the routing rules properly with the appropriate metrics.

 

For instace, a rule has been create to look on the internal server ip - using the correct gateway and metric is 1.

From what i know that means that this routing rule get's the hignest priority, correct ?

525
0 Kudos
AEK
SuperUser
SuperUser
In response to gstefou

Created on ‎01-25-2025 12:00 PM

Hi gstefou

If you share the routing table maybe we can help. You can hide sensitive IP addresses if any.

AEK
AEK
409
gstefou
New Contributor II
In response to AEK

Created on ‎01-27-2025 03:55 AM

Here's the routing table of the remote device.

 

I have Greyed out the Firewall's public IP address on line 12. 

This is one of the routing entries that has been added once the IPSec VPN tunnel has been established.  

 

 

image (6).png

322
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.