Hot!Site to Site VPN combined with VPN client

Author
harrydeko
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/17 05:25:29
  • Status: offline
2020/01/17 05:39:13 (permalink)
0

Site to Site VPN combined with VPN client

Hi, I do not know if anyone has tried this or that I'm implementing this wrong;
I have a customer with 2 sites with 2 Fortigates, connected with a site-to-site IPSec VPN connection.
 
At the office:
At site A i have a Domain Controller, users can access data on site B, everyone at the office is happy
At site B i have a Domain Controller, users can access data on site A, everyone at the office is happy
 
Now users who are outside the buildings:
What we want is that a user connects remotely to site A (using the VPN Client on a Windows system) can access data at site B.
For now they disconnect site A and connect to site B, but can this be done without this step?
 
I hope you understand what I mean by this?
 
I've already searched these forums in hope to find anyone with the same setup but am not able to find any cases..
#1

7 Replies Related Threads

    ernest_louie@yahoo.com
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/03 14:32:43
    • Status: offline
    Re: Site to Site VPN combined with VPN client 2020/03/08 19:07:16 (permalink)
    0
    Hi Harry - I also have a very similar (almost exact) issue as what you are describing.  Site A, B, C are setup as a Hub/Spoke VPN configuration (I believe) - Site-A being the Hub and Site B & C are the Spokes.  FortiClients remote into Site-A.  These FortiClients can access resources (Servers) in Site-A as well as Site-B, however, they can NOT currently access the resources in Site-C.  So, what you are trying to do, is done in this network.  However, I need to also have these users be able to access the Server in Site-C.  This issue only occurs with my Remote (FortiClient) users.  The local users (on the LAN segment) at Site-A and Site-B can access the Server in Site-C.
    I am currently, trying to figure this out for my client as well.  I am currently trying to understand the behavior when the FortiClient remotes into each site, before I take any action.  The FortiClients are on a different IP subnet (ex: 172.16.x.y/24) from the Internal/LAN employees (192.168.x.y/24) , so I will need to debug on how the "good" case works (find out which policies are being used) and apply similar policies/routes at  Site-C and Site-A... at least this is my approach to finding out how it works between Site-A and Site-B.  I will continue to monitor and post if I find anything.  Good luck.
     
    #2
    sw2090
    Expert Member
    • Total Posts : 745
    • Scores: 54
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Site to Site VPN combined with VPN client 2020/03/09 00:42:57 (permalink)
    5 (2)
    side a and side b must have static route to each other and to the vpn subnet (on side b with FGT on side a as gw).
    Then you need policies to allow the traffic.
    I'd also recommend to enable split tunneling on the dial in vpn because without  the complete interet traffic of the client will go through side a.
    #3
    ernest_louie@yahoo.com
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/03 14:32:43
    • Status: offline
    Re: Site to Site VPN combined with VPN client 2020/03/09 12:12:19 (permalink)
    0
    Hi sw2090 - Thanks for your insight on this issue.  I have reviewed my configuration and I believe you are correct regarding a return route back to the Remote VPN subnet.  I have identified that I don't have a static route at site-C, so I will implement that tonight or tomorrow and post the results.  Again thanks!
     
    #4
    ernest_louie@yahoo.com
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/03 14:32:43
    • Status: offline
    Re: Site to Site VPN combined with VPN client 2020/03/09 23:55:30 (permalink)
    0
    Hi sw2090 - Yes, you nailed it.  Create static route; create FW policies and all is working as expected.  Thanks!  Gave you 5-kudos!
    #5
    it@towpt.com
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/26 04:12:11
    • Status: offline
    Re: Site to Site VPN combined with VPN client 2020/03/26 04:52:24 (permalink)
    0
    Hi @ernest_louie,
     
    Glad you got your config working.
     
    I have exactly the same issue as you did:
     
    Site A to Site B have a permanent vpn tunnel that is working both ways.
     
    I have dialUP IPSec VPN tunnel with it's own subnet set-up on Site A FG that is allowing access to the LAN at site A and this is working fine.  The associated policy for this has NAT enabled.
     
    I also need users to also be able to access site B LAN via this dialUP VPN, but this is not working.
     
    On site A FG, I have added:
    - Static route to route traffic for dialUP VPN subnet to be routed to the dialup VPN Tunnel interface.
    - Policy from dialUP VPN interface to Tunnel interface between site A and B with NAT enabled.
    - Policy from Site A to B Tunnel interface to dialUP VPN interface with NAT enabled.
     
    On site B FG:
    -Static route to route traffic for dialUP VPN subnet to be routed through the VPN Tunnel interface between site A and B.
    -Policy from Tunnel interface between site A and B to LAN with NAT enabled for the dialUP VPN subnet.
    -Policy from LAN interface to Tunnel interface between site A and B with NAT enabled for the dialUP VPN subnet.

    What am I missing or need to change?
     
    I would be really grateful if you would please direct me to how I can get this working like your scenario.
     
    Thanks in advance.
     
     
    #6
    ernest_louie@yahoo.com
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/05/03 14:32:43
    • Status: offline
    Re: Site to Site VPN combined with VPN client 2020/04/06 10:26:34 (permalink)
    0
    Hi it@towpt.com
    We'll take it step by step:
    1. On Site-A, can you do this and post you Site-A's configuration?  From CLI, type...for example.  Remember your IPSec VPN interface may have a different name.  (if you don't know, then after the "config system interface" cmd, the next cmd you can type is "show" and hit Enter key to display all your interfaces:
      FGT# config system interface
      FGT (interface)# edit IPSec_VPN
      FGT (IPSec_VPN) # show
    config system interface
        edit "IPSec_VPN"
            set vdom "root"
            set ip 169.254.1.1 255.255.255.255
            set allowaccess fabric
            set type tunnel
            set remote-ip 169.254.1.1 255.255.255.255
            set snmp-index 4
            set interface "wan1"
        next
    end
     
    NOTE: You may not have all the parameters as I have, and they may be different...
         That is OK... I just want to understand what you have, so I can try to help.
    - Ernie
    #7
    it@towpt.com
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/26 04:12:11
    • Status: offline
    Re: Site to Site VPN combined with VPN client 2020/04/08 08:26:15 (permalink)
    0
    Hi @ernest_louie,
     
    Thank you so much for taking the time to reply!
     
    The output I get is :
     
    For the Site to Site (A-B) VPN:
     
    config system interface
        edit "SiteA-SiteB"
             set vdom "root"
             set type tunnel
             set snmp-index 17
             set interface "wan1"
        next
    end
     
    For the Dialup:
     
    edit "IPS-VPN_DU"
        set vdom "root"
        set ip 169.254.1.4 255.255.255.255
        set allowaccess fabric
        set type tunnel
        set remote-ip 169.254.1.4 255.255.255.255
        set snmp-index 22
        set interface "wan1"
    next
     
     
     
     
     
     
    post edited by it@towpt.com - 2020/04/14 02:11:24
    #8
    Jump to:
    © 2020 APG vNext Commercial Version 5.5