Hi all,
My setup(in basics): I have multiple Fortigate SG60, they are different physical locations. I configured a site-to-site IPsec VPN between the Fortigate SG60 in the DC to all sites. Which works fine (as far as I know). Lets call DC site A.
Site A:
I have a MGMT vlan and within this VLAN multiple VMs reside. It is possible to ping from a VM in site A to site B. In other words, to ping the other side of the VPN tunnel.
I also have a dial-up VPN from my laptop to site A. Which works fine. From my laptop it is now possible to enter the MGMT network. Also it is possible to ping site B over the VPN. The routes are advertised. So far so good.
Now the problem, I recently added site C. A new Fortigate on a different physical location. IPsec site-to-site works fine. Also it is possible to ping site C from a VM in the mgmt network in site A. What is not possible: to ping site C from my laptop (that is connected with the dial-up VPN).For some reason the route to this site are not advertised by fortigate. When I start a traceroute frrom my laptop it just tries to find site C on the public internet...
I added the same firewall rules and static routes as for site B (which is accessible from my laptop).
Now my question to you: does anyone have an idea what could be wrong? What kind of information(configs, tests idk) would you like to see in order to the a grasp of the problem.
If someone has a clue please share it with me!
Kind regards,
Kasper
Solved! Go to Solution.
I've had some similar troubles due to network numbering. If the local network you're connecting from matches the destination network i.e. both are 192.168.1.x, routes do not work properly. It tries to contact the local LAN gateway as you describe. The only fix I've found is to change the local network's numbering. In our case, it was the remote user's home LAN. Just adjusted their DHCP settings. Ideally, I will move our company network over to something less common in the future to avoid this.
I've had some similar troubles due to network numbering. If the local network you're connecting from matches the destination network i.e. both are 192.168.1.x, routes do not work properly. It tries to contact the local LAN gateway as you describe. The only fix I've found is to change the local network's numbering. In our case, it was the remote user's home LAN. Just adjusted their DHCP settings. Ideally, I will move our company network over to something less common in the future to avoid this.
Hi,
Thanks for your reply!
My local network is 192.168.0.0/24 network while the remote network that doesnt work (site c) is a 10.100.54.0/24 network.
Site B that does work is a 10.72.7.0/24 network. Strange right? I added for both sites static routes.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.