Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SouthTHTHTH
New Contributor

Created on ‎09-30-2023 06:52 PM Edited on ‎09-30-2023 11:04 PM

VPN Site Cannot access Internet after deploy SSL VPN

Hello,

 

I have follow this tutorial https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-with-overlapping-subnets/ta-p/1898... because my remote site and VPN site has same subnet (192.168.1.0/24)

 

However VPN is working perfectly except the VPN site now cannot access to the internet

Here is what FortiGate log show when I try ping

e1.jpge2.jpg

 

My environment is 

-Fortigate 40F firmware v7.0.12 build0523 

-PPPOE WAN

-SSL VPN Split tunnel Enabled Based on Policy Destination

-Connect to VPN by FortiVPN Client

 

EDIT1 : I also find out form log that the NAT IP has changed to Virtual IP instead of WAN IP

 

 

Labels:
573
0 Kudos
5 REPLIES 5
srajeswaran
Staff
Staff

Created on ‎10-01-2023 12:58 AM

You have split tunneling enabled, which means the internet traffic is supposed to go outside the tunnel. Is the internet working fine when VPN is disconnected?
Can you share the policy the non-working traffic is hitting and the SSL VPN policies?

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

540
0 Kudos
SouthTHTHTH
New Contributor
In response to srajeswaran

Created on ‎10-01-2023 02:57 AM

When I disable the policy the VPN network is OK 

Here is the policy that created by the tutorial

 

e3.jpg

 

and this is a LAN to WAN policy which is normal policy to allow the internet access

e4.jpg

533
0 Kudos
srajeswaran
Staff
Staff
In response to SouthTHTHTH

Created on ‎10-01-2023 03:02 AM

As per the below image, we are sending traffic out, but there is no response. Can you confirm the incoming and outgoing interface for this? Is this WAN to WAN ? Are you connecting to SSL VPN from LAN itself?


 

image.png

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

531
0 Kudos
SouthTHTHTH
New Contributor
In response to srajeswaran

Created on ‎10-01-2023 03:14 AM Edited on ‎10-01-2023 03:16 AM

According to the picture it was the LAN to WAN policy that I created before implement VPN which is used to work normally before and when I disable the VPN policies the log from LAN to WAN policy works fine.

Here is more detail from log:

e5.jpge6.jpg

ps. the NAT ip is the SSLVPN IP not the real WAN IP

525
0 Kudos
SouthTHTHTH
New Contributor

Created on ‎10-01-2023 07:01 PM

I think I have found the solution, but I'm not sure if it's best practice.

Since the NAT IP isn't the real WAN IP as it is supposed to be, I forced the LAN to WAN policy to NAT by IP Pool with the WAN IP that I got from an ISP.(manually create)

 

But I don't have a static fixed WAN IP. When my WAN IP is renewed, that seems like the solution won't work.

 

I have looked again at the WAN to LAN policy according to the tutorial (step 4) which seems like the cause of the problem, so, I disabled it and created the new policy with a new setting instead.

The new policy setting is:

  • Incoming interface:  VPN tunnel
  • Outgoing Interface: LAN

I also limited the source from 'all' to just VPN subnet and VPN users.

 

Now I can use VPN and the VPN network can access the Internet.

487
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.