Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
graham_morrison
New Contributor

Need IPSec clients to talk to each other

Good morning,

 

This is a new one for me that has been pushed onto me with the current working from home solution.  We have 10 clients on the same ipsec tunnel all with softphones.  They all work perfectly talking back to our on prem IP phone system.  What we have discovered is that they cant phone each other as the phone software tries to make the call directly to the ip of the other PC on the same tunnel.  So PC A (192.168.97.2 - Tunnel address) cannot see or talk to (192.168.97.3).  Its the routing i think is the issue as i cant get the tunnel to route 192.168.97.0/24 back to the firewall.  I have added that route to the split tunnel and also added a rule to say the traffic can flow that way but no traffic hits it.

 

Its a 600C we have running the latest firmware.

 

Thanks in advance 

 
1 REPLY 1
Kenundrum
Contributor III

i had the same situation a while back when my area started mandating work from home. Here's a few tips that might help.

 

Ensure your vpn clients are getting an ip that is in a routable range. Preferably, something not in the local network of the firewall. Don't just have the firewall assign some IPs in the middle of your 'internal' subnet. I have enough remote users at this point that we had to assign a few /24s to the various tunnels. Assigning a dedicated range of IPs to your VPN allows for better routes across all devices.

 

You want to make sure you have policies that allow traffic from  source interface VPN to destination interface VPN and the source/destination IPs should be the entire range. The firewall will see the traffic coming from the vpn, but it need to go back out the vpn interface. This is typically not the normal setup for policies.

 

Depending on the setup of your tunnel, you may or may not need to have NAT enabled. This may depend on if your VPN interfaces have IPs or not, the nature of the traffic, or something else. Strangely, one of my firewalls appears to have the softphone policy have NAT enabled for sslvpn and disabled for ipsec. (Whoever set that policy up got it to work, so i'm not going to tempt fate to see why right now).

 

Also- you may need to explore your split tunneling setup. You would likely need to add the VPN tunnel range to your split tunnel route if it's not there already. Try to see if having a VPN where all traffic gets tunneled gets a different result. I have seen in rare instances where applications don't behave well with split tunnel VPNs in play- typically around if the tunnel is started before or after the application launches.

 

Once you have it working, you may want to double check the softphone connectivity requirements and create policies around that specifically. You typically don't want ALL traffic being able to go from VPN client to VPN client. However an any/any type policy will definitely help during initial setup to see if it works at all.

CISSP, NSE4

 

CISSP, NSE4
Labels
Top Kudoed Authors