Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jacm
New Contributor

Created on ‎10-06-2023 11:55 PM

remote user access to second vpn site to site

VPN.png

 

I have two routers connected using ipsec site to site.

The remote user connects to router A  (192.168.1.0/24) and has access to the network. The remote user does not have access to network B ( 192.168.2.0/24) How to make it have access to network B

Labels:
632
0 Kudos
1 Solution
vbandha
Staff
Staff

Created on ‎10-08-2023 07:31 AM

Hi @jacm ,

 

If you have phase 2 selector configured on IP Sec tunnel, you will have to add the SSL VPN IP Subnet in the phase 2 selector on both sides of the tunnel.

 

You also need to create 2 firewall policies SSL VPN--> IP Sec and IP Sec to SSL VPN on Site A

In the firewall policies on Site B, you have to add the SSL VPN IP Subnet in the IP Sec --> internal firewall policy

 

You have to add a static route on Site B with destination as SSL VPN Subnet and exit interface as IP Sec tunnel.

 

Hope that helps.

 

Regards, 

Varun

 

 

View solution in original post

573
0 Kudos
6 REPLIES 6
esalija
Staff
Staff

Created on ‎10-07-2023 12:06 AM

Hi,

Please run the below commands to check where the traffic is going.

 

Putty 1

--------

# diagnose sniffer packet any "host x.x.x.x and host y.y.y.y" 4 0 l

 

***  x.x.x.x  is the Source IP address and y.y.y.y is the destination IP ***

 

ctrl+C to stop

 

Putty 2

-------

# diag debug reset

# diagnose debug flow filter addr x.x.x.x -->Source IP address

# diagnose debug flow filter addr y.y.y.y -->Destination IP address

# diag debug flow filter proto 1

# diag debug console timestamp enable

# diag debug flow trace start 9999

# diag debug enable

 

***  x.x.x.x  is the Source IP address and y.y.y.y is the destination IP ***

 

*** Run for 5-10 minutes ***

 

# diagnose debug disable

# diag debug reset

 

Putty 3

----------

# get router info routing-table all

# get router info routing-table details y.y.y.y

 

***  y.y.y.y is the destination IP ***

Best regards,

Erlin

619
xshkurti
Staff
Staff

Created on ‎10-07-2023 12:55 AM

@jacm 

Check this link for right configuration:
SSL VPN to IPsec VPN | FortiGate / FortiOS 7.4.1 | Fortinet Document Library
Compare your config with this guide and do proper changes.

 

If you found this as a solution, please like and accept it to make it easily accessible for others.

Regards!

@xshkurti 

616
0 Kudos
hbac
Staff
Staff

Created on ‎10-07-2023 10:09 AM

Hi @jacm,

 

Please refer to this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Forward-traffic-originating-from-SSLVPN-in...

 

Regards, 

588
0 Kudos
vbandha
Staff
Staff

Created on ‎10-08-2023 07:31 AM

Hi @jacm ,

 

If you have phase 2 selector configured on IP Sec tunnel, you will have to add the SSL VPN IP Subnet in the phase 2 selector on both sides of the tunnel.

 

You also need to create 2 firewall policies SSL VPN--> IP Sec and IP Sec to SSL VPN on Site A

In the firewall policies on Site B, you have to add the SSL VPN IP Subnet in the IP Sec --> internal firewall policy

 

You have to add a static route on Site B with destination as SSL VPN Subnet and exit interface as IP Sec tunnel.

 

Hope that helps.

 

Regards, 

Varun

 

 

574
0 Kudos
jacm
New Contributor
In response to vbandha

Created on ‎10-09-2023 11:02 AM

Can you tell me what static routing should look like?

539
0 Kudos
jacm
New Contributor

Created on ‎10-11-2023 09:41 PM

I managed, thank you for your answers

479
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.