Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
oibekk
New Contributor

Unable to reach printer on local network with dial-in ipsec VPN

We have a FGT80F, and have set up dial-in ipsec vpn for the users to access office network.

Users are able to reach their local network printers at their remote site (enabled "allow access to local network" in FortiClient config). 

But at one spesific remote location, the users PC use 192.168.4.x/24 network for LAN on PC, and then uses a printer which is set up with 10.25.254.250 (it is a hired office, and we do not administer the network there...). When VPN connected, he is not able to reach the printers ip (ping). Is there anything we can do in the FortiClient or fortigate VPN config to allow access to all local subnets?

FortiGate FortiClient 

2 REPLIES 2
Nishtha_Baria

Hello Oibekk,

 

   To allow all local lan subnets, you have to make sure that you add the subnets in the firewall policy as destination. And if split-tunneling is on you will also have to add these extra subnets in phase1 and in address group.

 

config vpn ipsec phase1-interface

edit "tunnel_name"

set ipv4-split-include "local_network"

next

end

config firewall address
    edit "local_subnet_1" 
        set subnet 10.10.111.0 255.255.255.0 
    next 
    edit "local_subnet_2" 
        set subnet 10.10.112.0 255.255.255.0 
    next 
end 
config firewall addrgrp
    edit "local_network" 
        set member "local_subnet_1" "local_subnet_2" 
    next 
end 

Reference document:

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/785501/forticlient-as-dialup...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-dial-up-full-tunnel-with-FortiClient...

NB
Rajneesh
Staff
Staff

Hi @oibekk  

Run the sniffer on the FGT local :
diagnose sniffer packet any "host 192.168.7.5 and icmp" 4 0 l        -------------> replace IP with your local machine IP.

If you are noticing the traffic coming into your local interface and going out it means there is no issue with the policy part.

 

Check same by running the command on the remote FGT also.

This will help to isolate the issue.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors