Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Digerati
New Contributor

VPN to Multiple Vlans

Hi, and thanks for any replies. I have a fortigate configured with Multiple tagged Vlans on internal interface. So far any user on any vlan can communicate with the internet no problem. I have configured PPTP VPN to one of the Vlans, but How can I configure routing to allow VPn user to go to any Vlan Interface. If I route Add on the VPN PC I can get to the VLANs, But How do I configure so the user does not have to add manual routes? Vlan(10) 10.243.30.0/24 ->|->internal - >Wan1 Vlan(20) 10.242.57.0/24->| Vlan(30) 10.212.67.0/24->| Thanks
7 REPLIES 7
ede_pfau
SuperUser
SuperUser

Hi, AFAIK there is no routing table for a PPTP connection. Just the one route for the destination network. You could either supernet all VLANs (i.e. target network is 10.212.0.0/12) which is awkward, or use client-side routes (if connecting to VLAN10, then ' VLAN20 is routed via 10.243.30.1 (= FG)' and similar for VLAN30).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Digerati

Thanks Ede, So will Ipsec work then, if I add rip to the Vlans with FW rules for each Vlan to VPN and VPN to VLAN?
ede_pfau
SuperUser
SuperUser

That could be a way. For IPSec VPN, use the Interface mode (as opposed to policy-based VPN) when you create the tunnels. The tunnel then is just a port like other ports. You can use static routes or RIP for it. As the topology is not that dynamic I personally would go with static routes. There are 2 places where multiple subnets come into play: - the quick mode selectors in phase2 - the policies For phase2, you need to define the QM selectors using address groups. You can do that from the CLI only. Would be worth a try if you can make it work with a wildcard QM, i.e. ' 0.0.0.0/0' . Policies are easy: you need one ACCEPT policy from ' tunnel' to ' VLANx' for each VLAN. For a dial-in VPN you don' t need a static route back to the tunnel, it will be created on the fly. On the remote side, assuming you use Forticlient, enter all VLANs into the ' network behind tunnel' field. That will create the routes when the tunnel connects.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Digerati

wow, Thanks for the prompt reply, I will try that out and let you know how I make out. Just wondering, you said " That could be a way" Would you recomend something else that might be better? Thanks Paul
ede_pfau
SuperUser
SuperUser

No, not at all. I was just surprised that you were able to give up the PPTP VPN so quickly. My experience with PPTP is that these few hardliners who still stick to it will never accept any excuses to switch over to IPSec. Besides, getting the ' multi-subnet' VPN going is not that plain simple, but it' s doable.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Digerati

ah, technology changes too fast to be stubborn. Besides, it a great reason to pitch my clients on buying the forticlient for end points, yes? Thank you for the great advice.
ede_pfau
SuperUser
SuperUser

A valid point. Good luck with the config, and I' d love to see you back on the forum with how it went.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors