Site to Site VPN combined with VPN client

harrydeko · ‎01-17-2020

Hi, I do not know if anyone has tried this or that I'm implementing this wrong;

I have a customer with 2 sites with 2 Fortigates, connected with a site-to-site IPSec VPN connection.

At the office:

At site A i have a Domain Controller, users can access data on site B, everyone at the office is happy

At site B i have a Domain Controller, users can access data on site A, everyone at the office is happy

Now users who are outside the buildings:

What we want is that a user connects remotely to site A (using the VPN Client on a Windows system) can access data at site B.

For now they disconnect site A and connect to site B, but can this be done without this step?

I hope you understand what I mean by this?

I've already searched these forums in hope to find anyone with the same setup but am not able to find any cases..

ernest_louie · ‎03-08-2020

Hi Harry - I also have a very similar (almost exact) issue as what you are describing. Site A, B, C are setup as a Hub/Spoke VPN configuration (I believe) - Site-A being the Hub and Site B & C are the Spokes. FortiClients remote into Site-A. These FortiClients can access resources (Servers) in Site-A as well as Site-B, however, they can NOT currently access the resources in Site-C. So, what you are trying to do, is done in this network. However, I need to also have these users be able to access the Server in Site-C. This issue only occurs with my Remote (FortiClient) users. The local users (on the LAN segment) at Site-A and Site-B can access the Server in Site-C.

I am currently, trying to figure this out for my client as well. I am currently trying to understand the behavior when the FortiClient remotes into each site, before I take any action. The FortiClients are on a different IP subnet (ex: 172.16.x.y/24) from the Internal/LAN employees (192.168.x.y/24) , so I will need to debug on how the "good" case works (find out which policies are being used) and apply similar policies/routes at Site-C and Site-A... at least this is my approach to finding out how it works between Site-A and Site-B. I will continue to monitor and post if I find anything. Good luck.

sw2090 · ‎03-09-2020

side a and side b must have static route to each other and to the vpn subnet (on side b with FGT on side a as gw).

Then you need policies to allow the traffic.

I'd also recommend to enable split tunneling on the dial in vpn because without the complete interet traffic of the client will go through side a.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

ernest_louie · ‎03-09-2020

Hi sw2090 - Thanks for your insight on this issue. I have reviewed my configuration and I believe you are correct regarding a return route back to the Remote VPN subnet. I have identified that I don't have a static route at site-C, so I will implement that tonight or tomorrow and post the results. Again thanks!

ernest_louie · ‎03-09-2020

Hi sw2090 - Yes, you nailed it. Create static route; create FW policies and all is working as expected. Thanks! Gave you 5-kudos!

it19 · ‎03-26-2020

Hi @ernest_louie,

Glad you got your config working.

I have exactly the same issue as you did:

Site A to Site B have a permanent vpn tunnel that is working both ways.

I have dialUP IPSec VPN tunnel with it's own subnet set-up on Site A FG that is allowing access to the LAN at site A and this is working fine. The associated policy for this has NAT enabled.

I also need users to also be able to access site B LAN via this dialUP VPN, but this is not working.

On site A FG, I have added:

- Static route to route traffic for dialUP VPN subnet to be routed to the dialup VPN Tunnel interface.

- Policy from dialUP VPN interface to Tunnel interface between site A and B with NAT enabled.

- Policy from Site A to B Tunnel interface to dialUP VPN interface with NAT enabled.

On site B FG:

-Static route to route traffic for dialUP VPN subnet to be routed through the VPN Tunnel interface between site A and B.

-Policy from Tunnel interface between site A and B to LAN with NAT enabled for the dialUP VPN subnet.

-Policy from LAN interface to Tunnel interface between site A and B with NAT enabled for the dialUP VPN subnet.

What am I missing or need to change?

I would be really grateful if you would please direct me to how I can get this working like your scenario.

Thanks in advance.

ernest_louie · ‎04-06-2020

Hi it@towpt.com We'll take it step by step: 1. On Site-A, can you do this and post you Site-A's configuration? From CLI, type...for example. Remember your IPSec VPN interface may have a different name. (if you don't know, then after the "config system interface" cmd, the next cmd you can type is "show" and hit Enter key to display all your interfaces: FGT# config system interface FGT (interface)# edit IPSec_VPN FGT (IPSec_VPN) # show config system interface edit "IPSec_VPN" set vdom "root" set ip 169.254.1.1 255.255.255.255 set allowaccess fabric set type tunnel set remote-ip 169.254.1.1 255.255.255.255 set snmp-index 4 set interface "wan1" next end NOTE: You may not have all the parameters as I have, and they may be different... That is OK... I just want to understand what you have, so I can try to help. - Ernie

it19 · ‎04-08-2020

Hi @ernest_louie,

Thank you so much for taking the time to reply!

The output I get is :

For the Site to Site (A-B) VPN:

config system interface edit "SiteA-SiteB" set vdom "root" set type tunnel set snmp-index 17 set interface "wan1" next end

For the Dialup:

edit "IPS-VPN_DU" set vdom "root" set ip 169.254.1.4 255.255.255.255 set allowaccess fabric set type tunnel set remote-ip 169.254.1.4 255.255.255.255 set snmp-index 22 set interface "wan1" next

minh2 · ‎04-12-2023

I also have the same problem, I tried many ways to route but it still doesn't work, maybe I'm not doing it right can anyone help me.

minh2 · ‎04-12-2023

in the static route:

destination: 0.0.0.0/0.0.0.0

gateway: 0.0.0.0

interface: tunnel vpn site to site