VPN-Forticlient-Fortigate-Google cloud IPSEC VPN

Author
apuewu
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/02 23:23:10
  • Status: offline
2019/10/02 23:47:21 (permalink)
0

VPN-Forticlient-Fortigate-Google cloud IPSEC VPN

Hi, I am facing some problem to connect my forticlient users with google cloud. If you have any solution please share.
 
1) Forticlient users are connected to Fortigate via IPSEC VPN. Forticlient users IP Range: 192.168.30.0/24
2) Fortigate LAN to Google cloud Servers are connected via separate IPSEC VPN.
3) So how the forticlient users will be able to access the servers in google cloud. Please check the attached image for details .

Attached Image(s)

#1
emnoc
Expert Member
  • Total Posts : 5301
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: VPN-Forticlient-Fortigate-Google cloud IPSEC VPN 2019/10/03 00:47:38 (permalink)
0
What is your configuration at the hub and spoke to GCP?
Are you using quad 0.0.0.0/0 TS ? or are you specific TS?
How does GCP learn of the routes at the cloud gateway?
Is the Forticlient tunnel all or split? if later, are you advertising the GCP address range to the clients?
So many questions you have to research and provide answers.
 
Ken Felix

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#2
apuewu
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/02 23:23:10
  • Status: offline
Re: VPN-Forticlient-Fortigate-Google cloud IPSEC VPN 2019/10/03 01:59:07 (permalink)
0
IN GCP two servers are connected in private network. GCP and HQ fortigate have a IPSEC tunel using specific TS.
I have created static route towards ipsec tunnel from  HQ to GCP and vice versa 
Forticlient configured with split tunnel.
Can you please elaborate a standard process for my situation.
 
#3
emnoc
Expert Member
  • Total Posts : 5301
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: VPN-Forticlient-Fortigate-Google cloud IPSEC VPN 2019/10/03 02:53:19 (permalink)
0
 
cmd.exe  "netstat -nr"  on machine hosting the  forticlient, do you have GCP destination?
 
diag debug enable
diag debug flow  filter daddr x.x.x.x
diag debug flow  filter saddr y.y.y.y
diag debug flow show console 
diag debug flow trace start 20
 
# x.x.x.x == something in GCP
# y.y.y.y == FC assigned address
 
Initiate traffic some and investigate
 
Does the FGT show any action? Does it find a route? a policy? allow or drop? Encrypted or not ? Is nat disable or showing up?
 
Many questions , you have to do some 1st level trace and debug 
 
Ken Felix
 
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#4
Jump to:
© 2019 APG vNext Commercial Version 5.5