Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sepdavid
New Contributor

sslvpn how to push route in tunnel mode ?

hello 

im using FG-81E v6.0.4

i created ssl vpn in tunnel mode , no split tunnel,

when im using hotspot,LAN,wifi i can connect to sslvpn and reach my servers .

but when im using cellular modem i cant reach my servers, im getting :  PING: transmit failed. General failure.

i checked my routing table and i can see no route to my servers , when im manually adding route to windows i can reach my servers.

my question is how can i push proper route to clients ? 

 

hotspot

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::f0d4:4bb0:1eb7:fc29%17 IPv4 Address. . . . . . . . . . . : 192.168.43.138 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.43.1

 

IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.138 55 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 192.168.43.0 255.255.255.0 On-link 192.168.43.138 311 192.168.43.138 255.255.255.255 On-link 192.168.43.138 311 192.168.43.255 255.255.255.255 On-link 192.168.43.138 311 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 192.168.43.138 311 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 192.168.43.138 311 ===========================================================================

 

hotspot + sslvpn

Ethernet adapter Ethernet 3:

Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::7013:80a4:d2a8:345a%18 IPv4 Address. . . . . . . . . . . : 20.212.134.200 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 20.212.134.201

Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::f0d4:4bb0:1eb7:fc29%17 IPv4 Address. . . . . . . . . . . : 192.168.43.138 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.43.1

 

IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.138 55 0.0.0.0 0.0.0.0 20.212.134.201 20.212.134.200 1 20.212.134.200 255.255.255.255 On-link 20.212.134.200 257 gatewayip 255.255.255.255 192.168.43.1 192.168.43.138 55 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 169.254.1.1 255.255.255.255 20.212.134.201 20.212.134.200 2 192.168.43.0 255.255.255.0 On-link 192.168.43.138 311 192.168.43.1 255.255.255.255 On-link 192.168.43.138 55 192.168.43.138 255.255.255.255 On-link 192.168.43.138 311 192.168.43.255 255.255.255.255 On-link 192.168.43.138 311 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 192.168.43.138 311 224.0.0.0 240.0.0.0 On-link 20.212.134.200 257 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 192.168.43.138 311 255.255.255.255 255.255.255.255 On-link 20.212.134.200 257

C:\Windows\system32>ping 10.0.0.3

Pinging 10.0.0.3 with 32 bytes of data: Reply from 10.0.0.3: bytes=32 time=179ms TTL=127 Reply from 10.0.0.3: bytes=32 time=50ms TTL=127 Reply from 10.0.0.3: bytes=32 time=63ms TTL=127

 

 

cell modem

PPP adapter Pelephone Internet:

Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 10.43.91.60 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 0.0.0.0

 

IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 On-link 10.43.91.60 56 10.43.91.60 255.255.255.255 On-link 10.43.91.60 311 127.0.0.0 255.0.0.0 On-link 127.0.0.1 4556 127.0.0.1 255.255.255.255 On-link 127.0.0.1 4556 127.255.255.255 255.255.255.255 On-link 127.0.0.1 4556 224.0.0.0 240.0.0.0 On-link 127.0.0.1 4556 224.0.0.0 240.0.0.0 On-link 10.43.91.60 56 255.255.255.255 255.255.255.255 On-link 127.0.0.1 4556 255.255.255.255 255.255.255.255 On-link 10.43.91.60 311 ===========================================================================

 

cell modem + sslvpn

Ethernet adapter Ethernet 3:

Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::7013:80a4:d2a8:345a%18 IPv4 Address. . . . . . . . . . . : 20.212.134.200 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 20.212.134.201

PPP adapter Pelephone Internet:

Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 10.43.91.60 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 0.0.0.0

 

IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 On-link 10.43.91.60 56 0.0.0.0 0.0.0.0 20.212.134.201 20.212.134.200 1 10.43.91.60 255.255.255.255 On-link 10.43.91.60 311 20.212.134.200 255.255.255.255 On-link 20.212.134.200 257 gatewayip 255.255.255.255 On-link 10.43.91.60 55 127.0.0.0 255.0.0.0 On-link 127.0.0.1 4556 127.0.0.1 255.255.255.255 On-link 127.0.0.1 4556 127.255.255.255 255.255.255.255 On-link 127.0.0.1 4556 169.254.1.1 255.255.255.255 20.212.134.201 20.212.134.200 1 224.0.0.0 240.0.0.0 On-link 127.0.0.1 4556 224.0.0.0 240.0.0.0 On-link 10.43.91.60 56 224.0.0.0 240.0.0.0 On-link 20.212.134.200 257 255.255.255.255 255.255.255.255 On-link 127.0.0.1 4556 255.255.255.255 255.255.255.255 On-link 10.43.91.60 311 255.255.255.255 255.255.255.255 On-link 20.212.134.200 257 ===========================================================================

C:\Windows\system32>ping 10.0.0.3

Pinging 10.0.0.3 with 32 bytes of data: PING: transmit failed. General failure. PING: transmit failed. General failure. PING: transmit failed. General failure. PING: transmit failed. General failure.

Ping statistics for 10.0.0.3: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Windows\system32>route add 10.0.0.0 mask 255.255.255.0 20.212.134.200 OK!

C:\Windows\system32>ping 10.0.0.3

Pinging 10.0.0.3 with 32 bytes of data: Reply from 10.0.0.3: bytes=32 time=179ms TTL=127 Reply from 10.0.0.3: bytes=32 time=50ms TTL=127 Reply from 10.0.0.3: bytes=32 time=63ms TTL=127

 

 

 

 

 

 

1 Solution
Toshi_Esumi
Esteemed Contributor III

As you answered to yourself by checking the routing table for each situation, the default route:

0.0.0.0 0.0.0.0 20.212.134.201 20.212.134.200 1

is there regardless hotspot or cell modem. So FortiClient is doing what's supposed to be doing and, routing-wise, no reason not to be able to get to 10.0.0.x over the SSL VPN. Only alarming part is your cell GW is 10.x.x.x. But it's /32 instead of 10/8 so it shouldn't take away your packets to 10.0.0.x.

It's a question to the cell modem+carrier provider, or to Microsoft whatever the window's version is.

 

View solution in original post

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor III

As you answered to yourself by checking the routing table for each situation, the default route:

0.0.0.0 0.0.0.0 20.212.134.201 20.212.134.200 1

is there regardless hotspot or cell modem. So FortiClient is doing what's supposed to be doing and, routing-wise, no reason not to be able to get to 10.0.0.x over the SSL VPN. Only alarming part is your cell GW is 10.x.x.x. But it's /32 instead of 10/8 so it shouldn't take away your packets to 10.0.0.x.

It's a question to the cell modem+carrier provider, or to Microsoft whatever the window's version is.

 

sepdavid

understood thank you ! 

i cant do much with the carrier ip's,

do you think a virtual ip workaround is possible ? 

Toshi_Esumi
Esteemed Contributor III

Only thing I can think of to make your remote access work is to split the tunnel so that the FGT injects all local subnets including the 10.0.0.0/24 through FortiClient into the PC/laptop's routing-table. Then you don't have to put the static routes in manually. Obviously the internet traffic doesn't come to the FGT but going out through the cell carrier with split tunnel.

Since likely the issue is caused by the modem driver especially if it's an USB stick type, not much else you can do from the FGT side. Nowadays those have become almost extinct in our county (U.S.) and only MiFi devices are distributed to connect to 4G LTE (then 5G soon), which doesn't require any driver on the PC/laptop.

sepdavid

 

the thing is, i do need all traffic thru vpn .

so i gone to buy a 4G LTE Wifi Modem , all works good .

 

thank you so much for your help 

Labels
Top Kudoed Authors