- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Access remote site on IPSec Site-To-Site Dial-Up V...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Access remote site on IPSec Site-To-Site Dial-Up VPN
Hello
I've a Problem and hope someone can help me.
I created a route-based IPSec Site-to-Site VPN tunnel between our headoffice and one branch office.
The branch office is using a dynamic IP, so I had to create a dial-up VPN.
The Computers on the dial-up site (branch Office) can Access the Systems on the headoffice but the headoffice can't connect to the Systems on the branch office.
In the FortiOS Handbook under "FortiGate dialup-client configurations > Route-based VPN" is written "Because communication cannot be initiated in the opposite direction, there is only one policy."
This works in both directions with policy-based VPN Connections.
Is there really no way that the headoffice can connect to systems at the branch office by using route-based dial-up VPNs?
We're using route-based VPNs because we had some issues with policy-based VPNs using a Hub-and-Spoke configuration.
The Fortinet Support told us to use route-based VPNs instead but now we have this issue...
Any idea how to solve this?
Thank you very much.
Ramon
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I guess nobody knows a soloution because there is none.
I try to open a Feature Request. We'll see if this will be possible in the future...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, your post slipped by...
Why dial-up? Just let the branch office FGT initiate the tunnel. One side is static IP, one side is dynamic IP/DDNS. These days (i.e. in FOS 5.2+) Fortinet offers a free DDNS account for FGT owners.
Using a static IP and a dynamic name, you can even use Main mode.
BTW, even with your setup you should be able to send traffic in both directions. Probably one of the 2 routes necessary is missing, or one of the policies. Check the routing table on both FGTs (Routing > Monitor) if there's a proper route for each private network.
IIRC, the FGT will create a host route for each dial-up client (a /32) dynamically on connect. This would then not work for 2 subnets. You'll see that in the Routing Monitor.
Again, drop the dial-up idea altogether.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ede_pfau
Thank you very much for your Response.
Why dial-up? Because our branch office Firewall is connected through LTE. This means we have a dynamic IP address and our LTE Provider has a NAT router in his infrastructure which prevents our headoffice Firewall from connecting to the branch office IP address.
I'll give the DynDNS Solution a Chance but it doesn't make that much sense. Our branch office Firewall might send the correct IP to the DynDNS Service but our headoffice Firewall will still not be able to connect to the branch office due to the NAT of the LTE Provider. Even if it's not a dial-up our branch office needs to initiate the connection. But if it's such a big deal for the FortiGate wether the remote IP is a DNS Name or a dial-up Connection to work correctly, I'll give it a try.
BTW our branch office Firewall isn't a FortiGate.
I'll Keep you updated.
Once again, thank you very much.
Best Regards
Ramon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This might be interesting for you: https://forum.fortinet.com/tm.aspx?m=140931
As you can see, the injected route is a "/24" so the remote side hosts should be available from the central site.
What does the routing table (Router > Monitor) look like on the central FGT after establishment of a dial-up VPN connection? CLI output preferred (get router info rout all)
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
- Setting up Working IPSec tunnel dialup... 519 Views
- Can't select WAN interface for use... 255 Views
- Dialup VPN with multiple fortigates 1165 Views
- IPSec Dialup VPN, redundancy and non-static... 1288 Views
- Fortigate SD-WAN Traffic not redirected if... 1093 Views
Labels
-
FortiGate
6,527 -
FortiClient
1,302 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.