Unable to access LAN Using IPSec while connected to the Guest WiFi

gstefou · ‎01-23-2025

I'm having an issue with devices accessing internal netowrk equipment using IPSec VPN and connected to the Guest WiFi of the same Firewall we're trying to remote in.

Some details about the setup, we have a firewall in place and we're broadcasting LAN and Guest WiFi SSIDs.

The Guest WiFi is isolated and can only reach the internet with some webfiltering and ssl inspection.

Devices that are connected to the Guest WiFi cannot communicate with the LAN Network, setup by a Firewall policy.

Dialup IPSec VPN has been setup so the remote users can access a spesific server to the internal network (LAN).

This is working as a charm when we're using mobile hotspot or another ISP connection outside the office's building.

The problem is when we're at the office we have some personal devices we have to connect to the Guest WiFi for security purposes and althought we're able to esablish a connection using our Dialup IPSec VPN our computers cannot reach the spesified server on the internal network.

Looking on the logs, we found that the traffic is directed throught the Guest WiFi instead of the IPSec VPN Tunnel.

We have tried the same setup on mutliple FortiOS Versions from 7.2 all the way up to latest.

On the client side, we're using FortiClientVPN on the latest version. We have also tried a couple versions back.

Is there anyone experiencing the same issue ?

Any thoughts on what should be going wrong ?

!Disclaimer! I know we can put a firewall policy to allow access from the Guest WiFi to the server on the internal network but, that's a cerious security vulnerability.

Ion_24 · ‎01-24-2025

Hi,
You must create a policy to allow traffic from the VPN interface to LAN interface.

Example:
config firewall policy
edit 5
set name "vpn_VPN_to_LAN"
set uuid cc54f352-c5a6-51ed-9706-68ag0f33c85b
set srcintf "VPN_Tunnel Interface"
set dstintf "internal1(LAN)"
set action accept
set srcaddr "VPN_Tunnel Interface(Subnet 192.168.100.1/24)"
set dstaddr "LAN (subnet 172.16.0.0/18)"
set schedule "always"
set service "ALL"
set ip pool enable NAT
set pool name "VPN-NAT-LAN" type Overload ,172.16.5.59 - 172.16.5.59 "

set comments "VPN: VPN access to LAN Interface"
next
end

I think this will help you!

gstefou · ‎01-24-2025

Hello,

The policy from the VPN to LAN have been created since we configured the VPN.

Everything is working properly when we're using our mobile hotspot or any other network connection except the Guest Network of the Firewall.

AEK · ‎01-27-2025

I guess 172.17.1.0 is the remote network to which you are trying to access.

On the routing table I see only three hosts in this network (.1, .10 and .20) that are forwarded through the tunnel.

So you confirm your traffic to these three specific hosts is sent to the default gateway instead of being forwarded through the tunnel, right? Is this confirmed by a diag sniffer command on your FGT?

AEK

gstefou · ‎01-27-2025

Yes, that is what's happening.

We have confirmed it with diag sniffer commands on the Firewall.

AEK · ‎01-27-2025

I remember one day I noticed the same behavior with FortiClient 7.4.0 (licensed version), but I didn't investigate more since the VPN was not needed when we were in local network.

So is it possible that FortiClient somehow disables the VPN interface when it knows that it is directly connected to FortiGate? I hope some more experienced user can inform us on this behavior.

AEK

gstefou · ‎01-27-2025

We're using FortiClientVPN (Free version) 7.4.2 (latest version) at the remote endpoint.

If any experienced user can provide some clarity on the case, that would be wonderful.

Unable to access LAN Using IPSec while connected to the Guest WiFi

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website