- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Access FortiClient computer from LAN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Access FortiClient computer from LAN
I've successfully set up a VPN tunnel to allow FortiClients to connect to my FortiGate 90D (v5.2.5) and they can access all internal LAN addresses. However, computers on the LAN are unable to ping the FortiClient computers. When I do a traceroute from a LAN computer, the FortiGate seems to send the packets to its Internet interface instead of trough the VPN tunnel to the FortiClient.
The FortiClients can ping internal LAN computers, so the FortiGate knows the route to the FortiClient or else the FortiClient wouldn't be able to receive responses when they ping computers on the LAN. The pings from the LAN to the FortiClients are not being blocked by any policy.
FortiClient VPN: 192.168.102.0/24
LAN: 192.168.2/24
config firewall policy
edit 1
set srcintf "Forticlient"
set dstintf "any"
set srcaddr "Forticlient_VPN"
set dstaddr "InternalNetwork"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
config router policy
edit 1
set input-device "internal"
set src "192.168.2.0/255.255.255.0"
set dst "192.168.102.0/255.255.255.0"
set output-device "Forticlient"
next
edit 2
set input-device "internal"
set gateway 70.46.74.1
set output-device "wan1"
next
end
config firewall address
edit "Forticlient_VPN"
set subnet 192.168.102.0 255.255.255.0
next
edit "InternalNetwork"
set subnet 192.168.2.0 255.255.255.0
next
end
I'm sure there's something stupid and obvious I'm missing, but I can't see what it is.
Labels:
- Labels:
-
5.2
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are missing a policy in the opposite direction: from internal interface to the sslvpn interface.
Why are you using policy routes? Static routes would do the job as well, much easier to handle.
Also I see no reason to use NAT on policy 1.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's an IPSec VPN, so there are no routes to the sslvpn interface.
A static route doesn't allow me to select the Fortinet VPN interface (although I can select the ssl.root interface). I can only select site-to-site tunnels and physical interfaces. I've tried creating static routes using the wan1 and internal interfaces, but that didn't seem to make a difference.
I use NAT because my LAN and VPN clients are on different subnets and I have no control over what addresses my VPN clients use when on other networks. So, with NAT, my LAN is 192.168.2.0/24 and my VPN clients are 192.168.102.0/24.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
localhost is right, get rid of the policy routes. They are external to the regular routing and not necessary here: if the routing can be fully determined by the destination address then use regular routing. Only if not, then use PBR.
Second, using NAT will make it quite hard for you to ping a client. From the config posted I cannot see how the .102 network address is assigned to a client. Instead it would use the internal's IP address. As the NAT table is internal to the session (from client to local network) it can only route traffic back which belongs to the same session. A new session from LAN to client will have no clue where to look for the client.
A dial-in VPN will establish an ad-hoc route when connecting a client, you should be able to see it in the Routing monitor.
Having no control over the remote LAN's address space can be a problem (how to avoid a user having the same private address space on his LAN as on the local LAN?). If the number of users is small you could tell them which network address to use, and for your local LAN you will avoid the over-used 192.168.[0-2].0/24 addresses. Any of this is difficult in practice. The second workaround is to assign (non-overlapping) addresses to your clients via IPsec-DHCP. Then you will have full control over the addresses used.
I'm still not sure if you could ever initiate a session to a dial-in client, even with all the addressing settled. I don't think this type of VPN is meant to support it. I can't test that here as I only use s2s VPNs, or SSL-VPN for clients.
HTH.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recreated your situation in my lab.
I was able to ping in both directions. Be aware that the Windows Firewall might block your pings!
You don't need any routes for the Dialup VPN. The Fortigate will create the routes to the VPN Clients on the fly.
Some snippets: port8=INTERNAL, port7=EXTERNAL
config user local
edit "user1"
set type password
set passwd-time 2015-12-18 12:58:03
set passwd ENC 5MvJfkLcI10iOWY6efs7Bt81I79ZUvZ4GY3EU28ztWyZbMzrrIRRAseH958w8KwDG9bJxD1hQrysGujJxV7e+vcgD8CxZC6toeTBPrdCEIe7u0hpwql/BGdqmFh2kXHfYQc3q1sKPKuVIQ/ZLaWbFgb9Sg4hGZNYH5M5E0FrVTQc1sW4XxYxaU969BwlW3Vb50PW8A==
next
end
config user group
edit "SSO_Guest_Users"
next
edit "Sample-Group"
set member "user1"
next
end
config vpn ipsec phase1-interface
edit "Dialup"
set type dynamic
set interface "port7"
set mode aggressive
set mode-cfg enable
set ipv4-dns-server1 8.8.8.8
set comments "VPN: Dialup (Created by VPN wizard)"
set xauthtype auto
set authusrgrp "Sample-Group"
set ipv4-start-ip 10.1.150.20
set ipv4-end-ip 10.1.150.254
set save-password enable
set psksecret ENC dmFyL2V6MHFK6pWIBrRbJGIJDBF6cRSKkZFGbGlPuG+D5KeS5kSiauX+b2B6hpPawpQbsmalgV3PhLdCOcUJPWAv65+QnzYslHzg/PSeHI7tj2cx+fQtim/gdjTOnDpQZ2B6EAfU3UaAbw9p7+IbmY565MrM6LpJ9xbgXHu3gYsZdr8hDUyxk14gVUAF8sijuIglDw==
next
end
config vpn ipsec phase2-interface
edit "Dialup"
set phase1name "Dialup"
set comments "VPN: Dialup (Created by VPN wizard)"
next
end
config firewall policy
edit 1
set uuid d6f13138-a57d-51e5-6bb8-ed0509419eda
set srcintf "port8"
set dstintf "port7"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 2
set uuid 1cfd13e0-a57e-51e5-6c76-e74f0ecebb03
set srcintf "Dialup"
set dstintf "port8"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: Dialup (Created by VPN wizard)"
next
edit 3
set uuid e16a89a6-a57e-51e5-ef54-0ca90e1679ce
set srcintf "port8"
set dstintf "Dialup"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 4
set uuid b0106758-a5b1-51e5-85da-6c7a583097ba
set srcintf "Dialup"
set dstintf "port7"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
end
Related Posts
- FortiNAC not responding to PA connections 299 Views
- Linux forticlient-cli with enable_local_lan 127 Views
- Disable forticlient on startup 170 Views
- FortiEMS / FortiClient / Azure 137 Views
- Split Tunnel with SSL VPN and... 305 Views
Labels
-
FortiGate
6,604 -
FortiClient
1,318 -
5.2
801 -
5.4
639 -
FortiManager
572 -
FortiAnalyzer
417 -
6.0
416 -
5.6
362 -
FortiSwitch
339 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
248 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
152 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
High Availability
21 -
FortiConverter
21 -
FortiPortal
18 -
FortiAuthenticator
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.