VPN-Forticlient-Fortigate-Google cloud IPSEC VPN

apuewu · ‎10-02-2019

Hi, I am facing some problem to connect my forticlient users with google cloud. If you have any solution please share.

1) Forticlient users are connected to Fortigate via IPSEC VPN. Forticlient users IP Range: 192.168.30.0/24

2) Fortigate LAN to Google cloud Servers are connected via separate IPSEC VPN.

3) So how the forticlient users will be able to access the servers in google cloud. Please check the attached image for details .

emnoc · ‎10-03-2019

What is your configuration at the hub and spoke to GCP?

Are you using quad 0.0.0.0/0 TS ? or are you specific TS?

How does GCP learn of the routes at the cloud gateway?

Is the Forticlient tunnel all or split? if later, are you advertising the GCP address range to the clients?

So many questions you have to research and provide answers.

Ken Felix

PCNSE

NSE

StrongSwan

apuewu · ‎10-03-2019

IN GCP two servers are connected in private network. GCP and HQ fortigate have a IPSEC tunel using specific TS.

I have created static route towards ipsec tunnel from HQ to GCP and vice versa

Forticlient configured with split tunnel.

Can you please elaborate a standard process for my situation.

emnoc · ‎10-03-2019

cmd.exe "netstat -nr" on machine hosting the forticlient, do you have GCP destination?

diag debug enable

diag debug flow filter daddr x.x.x.x

diag debug flow filter saddr y.y.y.y

diag debug flow show console

diag debug flow trace start 20

# x.x.x.x == something in GCP

# y.y.y.y == FC assigned address

Initiate traffic some and investigate

Does the FGT show any action? Does it find a route? a policy? allow or drop? Encrypted or not ? Is nat disable or showing up?

Many questions , you have to do some 1st level trace and debug

Ken Felix

PCNSE

NSE

StrongSwan