Hot!connect to remote vpn site through forticlient

Author
Raffael Hotz
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/09/26 00:25:30
  • Status: offline
2019/10/07 04:22:32 (permalink)
0

connect to remote vpn site through forticlient

Hello there,
 
I have 3 sites, A,B,C. A and C with public IP, B behind NAT. I have set up a Site-to-Site VPN between A and B, A and C and B and C. So far so good, I can work with all sites when I am in one of the local subnets. But now, I want to work remotely. With the Forticlient I can already connect to each site. But I don't wont to connect to each site, I want to connect to one site and manage all 3 sites.
 
I thought it is enough to do policies like "forticlient_interface" to "vpn_A" ,"forticlient_interface" to "vpn_b" and "vpn_A" to "forticlient_interface", "vpn_B" to "forticlient_interface". The Forticlient VPN is in the same management subnet 10.0.1.0/24 from where i can reach all sites when I am connected locally
 
Is there anything I am missing?
 
Hope you guys can help.
 
Thanks,
Raffael
#1

6 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1675
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: connect to remote vpn site through forticlient 2019/10/07 08:55:23 (permalink)
    0
    Check 1) routes, 2) policies, and 3) network selectors (phase2) especially at the remote sites. They need to know the the client subnet and where (VPN) to route to, and it needs to be allowed by policies and selectors.
    #2
    tranhuyvu
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/10/07 21:15:34
    • Status: offline
    Re: connect to remote vpn site through forticlient 2019/10/07 21:20:39 (permalink)
    0
    You're having the same /24 network on each site on your SSL VPN interface. That's the reason why you can't reach other 2 sites once you're connected to one. Here's an example of what you should do.
    Assign 10.0.1.0/24 to site A, 10.0.2.0/24 on site B, 10.0.3.0/24 on site C.
    On site A, create 2 static route. 10.0.2.0/24 goes to A-B tunnel. 10.0.3.0/24 goes to A-C tunnel
    On site B, create 2 static route. 10.0.1.0/24 goes to A-B tunnel. 10.0.3.0/24 goes to B-C tunnel
    On site C, create 2 static route. 10.0.1.0/24 goes to A-C tunnel. 10.0.2.0/24 goes to B-C tunnel
     
    Then create policies on each tunnel accordingly.
    #3
    Raffael Hotz
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/26 00:25:30
    • Status: offline
    Re: connect to remote vpn site through forticlient 2019/10/10 02:48:10 (permalink)
    0
    Hi,
     
    thanks for the anwsers. So no, I dont have the same subnets. They are 10.0.1.0/24, 10.10.1.0/24, and 10.20.1.0/24. The thing is, if I am on site, I am in the same subnet as I am when connected via Forticlient and then everything works fine. So i guess it is not a static routes thing, no?
     
    I will try and check my policies.
     
    Thanks so far
    #4
    sw2090
    Gold Member
    • Total Posts : 427
    • Scores: 21
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: connect to remote vpn site through forticlient 2019/10/10 05:38:32 (permalink)
    0
    it can (and prolly is) still a static routing thing on your client.
    When you are on Site and connected the net you have a static route via your interface that is connected to the subnet.
    If you are connected by vpn you have an interface in the vpn subnet (which is usually not the same) and no route at all to your office subnet.  
    So in this case you either need to enable split tunneling or have the forticlient rewrite your default route havng all your internet traffic going via office FGT too. Plus of course you need policies from vpn to office subnets.
    #5
    Raffael Hotz
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/26 00:25:30
    • Status: offline
    Re: connect to remote vpn site through forticlient 2019/10/11 01:43:15 (permalink)
    0
    Its working. I disabled split tunneling and redone the Client VPN and magic happened and it is working now.
     
    Thanks guys!
    #6
    sw2090
    Gold Member
    • Total Posts : 427
    • Scores: 21
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: connect to remote vpn site through forticlient 2019/10/11 02:01:23 (permalink)
    0
    ok but keep in mind that now ALL your traffic from client goes through the VPN!
    If you don't want this to happen you must re-enable split tunneling and set it to an address group containig all subnets you want to access plus make sure you have the neccessary policies.
    #7
    Jump to:
    © 2019 APG vNext Commercial Version 5.5