Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN to Multiple Vlans
Hi, and thanks for any replies.
I have a fortigate configured with Multiple tagged Vlans on internal interface. So far any user on any vlan can communicate with the internet no problem.
I have configured PPTP VPN to one of the Vlans, but How can I configure routing to allow VPn user to go to any Vlan Interface.
If I route Add on the VPN PC I can get to the VLANs, But How do I configure so the user does not have to add manual routes?
Vlan(10) 10.243.30.0/24 ->|->internal - >Wan1
Vlan(20) 10.242.57.0/24->|
Vlan(30) 10.212.67.0/24->|
Thanks
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
AFAIK there is no routing table for a PPTP connection. Just the one route for the destination network.
You could either supernet all VLANs (i.e. target network is 10.212.0.0/12) which is awkward, or use client-side routes (if connecting to VLAN10, then ' VLAN20 is routed via 10.243.30.1 (= FG)' and similar for VLAN30).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ede,
So will Ipsec work then, if I add rip to the Vlans with FW rules for each Vlan to VPN and VPN to VLAN?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That could be a way.
For IPSec VPN, use the Interface mode (as opposed to policy-based VPN) when you create the tunnels. The tunnel then is just a port like other ports. You can use static routes or RIP for it. As the topology is not that dynamic I personally would go with static routes.
There are 2 places where multiple subnets come into play:
- the quick mode selectors in phase2
- the policies
For phase2, you need to define the QM selectors using address groups. You can do that from the CLI only. Would be worth a try if you can make it work with a wildcard QM, i.e. ' 0.0.0.0/0' .
Policies are easy: you need one ACCEPT policy from ' tunnel' to ' VLANx' for each VLAN.
For a dial-in VPN you don' t need a static route back to the tunnel, it will be created on the fly.
On the remote side, assuming you use Forticlient, enter all VLANs into the ' network behind tunnel' field. That will create the routes when the tunnel connects.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wow, Thanks for the prompt reply, I will try that out and let you know how I make out.
Just wondering, you said " That could be a way" Would you recomend something else that might be better?
Thanks
Paul
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, not at all. I was just surprised that you were able to give up the PPTP VPN so quickly. My experience with PPTP is that these few hardliners who still stick to it will never accept any excuses to switch over to IPSec.
Besides, getting the ' multi-subnet' VPN going is not that plain simple, but it' s doable.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ah, technology changes too fast to be stubborn. Besides, it a great reason to pitch my clients on buying the forticlient for end points, yes?
Thank you for the great advice.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A valid point. Good luck with the config, and I' d love to see you back on the forum with how it went.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!