Lost the outside connects when VPN-connect is up

PIknik · ‎02-14-2018

Hello!

I have a FortiClient 5.6.5 on Windows 7 x64 and a connect parameters for IPSec VPN.

The VPN connect is work. But, when VPN-connect is up, I lost a connect with all my hosts on local network. The input (listening) connects to my host not work too. The Internet work is fine.

Now I can’t work with my computer without local resource and can’t install FortiClient on the server machine as the outside not have access to VPN-reaources.

My network when the VPN is not connected (host with VPN is 10.1.2.18):

Network Mask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.1.2.1 10.1.2.18 11

10.1.2.0 255.255.255.0 On-link 10.1.2.18 266

10.1.2.18 255.255.255.255 On-link 10.1.2.18 266

10.1.2.255 255.255.255.255 On-link 10.1.2.18 266

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 10.1.2.18 266

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 10.1.2.18 266

ping to Internet-resource - succesful

ping to 10.1.2.19 - succesful

nmap to this host of outside host:

$ nmap 10.1.2.18

Starting Nmap 7.40 ( [link]https://nmap.org[/link] ) at 2018-02-14 19:00 MSK

Nmap scan report for 10.1.2.18

Host is up (0.0038s latency).

Not shown: 989 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

2522/tcp open windb

3306/tcp open mysql

3389/tcp open ms-wbt-server

49152/tcp open unknown

49153/tcp open unknown

49154/tcp open unknown

49155/tcp open unknown

49156/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds

My network when the VPN is connected:

0.0.0.0 0.0.0.0 10.1.2.1 10.1.2.18 11

0.0.0.0 0.0.0.0 192.168.121.2 192.168.121.1 2

10.1.2.0 255.255.255.0 On-link 10.1.2.18 266

10.1.2.18 255.255.255.255 On-link 10.1.2.18 266

10.1.2.255 255.255.255.255 On-link 10.1.2.18 266

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

192.168.121.1 255.255.255.255 On-link 192.168.121.1 257

100.100.100.100 255.255.255.255 10.1.2.1 10.1.2.18 10

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 10.1.2.18 266

224.0.0.0 240.0.0.0 On-link 192.168.121.1 257

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 10.1.2.18 266

255.255.255.255 255.255.255.255 On-link 192.168.121.1 257

ping to Internet-resource - succesful

ping to 10.1.2.19 - failed

nmap to this host of outside host:

$ nmap 10.1.2.18 -Pn

Starting Nmap 7.40 ( [link]https://nmap.org[/link] ) at 2018-02-14 19:00 MSK

Nmap scan report for 10.1.2.18

Host is up.

All 1000 scanned ports on 10.1.2.18 are filtered

Nmap done: 1 IP address (1 host up) scanned in 201.27 seconds

I see a two default gateway, but my attempts fixed this is not succesful.

I have no idea who I can reduce security setting at VPN-connect is up. I need to have access to outside of my host and/or access to host of outside hosts.

I can’t have access to the VPN-server Forti. My tools is FortiClient only.

Can you help me?

Hkp · ‎02-15-2018

Hi,

if I understood your question correctly your devices in local subnet are not reachable when you are connected with FortiClient VPN?

Are you using SSL or IPSec Dialup VPN? Should it be IPSec, change your Phase1 configuration in CLI:

#config vpn ipsec phase1-interface

edit "YOUR-PHASE1-VPN-TUNNEL-NAME" (upper and lower cases must be correctly!) set include-local-lan enable next

end

PIknik · ‎02-15-2018

Yes, you understood is right.

I use IPSec VPN. How I can to connect to CLI in the FortiClient?

Hkp · ‎02-15-2018

You have to connect to your Fortigate via CLI like PuTTY.

FortiClient don't need any changes :)

PIknik · ‎02-16-2018

I have not access to Fortigate.

I have only a downloaded Forticlient programm and IP-address of VPN-server with login/password. This is all.

ede_pfau · ‎02-17-2018

Actually, there is a setting locally in the FortiClient config...but I cannot guarantee that this setting will be effective. It might well be that the VPN server's setting will override it (at least that would make sense).

So, in FC, use

'File' menu, 'settings'

'System', 'back up complete configuration'

This will export the FC config as an XML file (editable with any text editor).

Look for

<vpn>

...

<enable_local_lan>1</enable_local_lan>

If the setting is '0' instead, change it to '1'. If the line doesn't exist, add it.

Then, save the file and restore it to FC.

Shut down FC, restart it and test.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

PIknik · ‎02-20-2018

Yes! This is work!

I to edit cfg-file how you said and now I can to connect to other hosts in subnet (but can't to connect to hosts in other subnet, but it's fine for me)

Work ping, telnet, ssh, etc

Thanks you very match! And sorry for my bad English)