Helpful ReplyHot!Internet access for VPN SSL CLIENT

Author
kssupport
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/10 02:02:01
  • Status: offline
2020/10/06 02:17:49 (permalink)
0

Internet access for VPN SSL CLIENT

hello there,
please help.
we using FG30E with firmware 5.6.12
we have created vpn ssl with tunnel mode, and client can connect successful.
we have create 3 policies (as shown video tutorial):
- WAN to VPN SSL, I don't think this have problem, since client can connect to vpn ssl.
- VPN SSL to LAN, I assume this has no problem, since client can access LAN after connect vpn ssl.
- VPN SLL to WAN, with configuration:
source: all IP, list of users vpn
destination: all
service: all
NAT: ON
AV: ON
accept connection.
 
fortigate restarting. client connect to vpn ssl, success.
but client can't access internet (trying browsing any website).
 
need help please. thank you
#1
sw2090
Expert Member
  • Total Posts : 783
  • Scores: 58
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Internet access for VPN SSL CLIENT 2020/10/06 07:27:26 (permalink) ☄ Helpfulby kssupport 2020/10/07 00:26:18
0
you shouldn't allow wan to vpn. This is creating security whoes and you do not really need it.
for internet you need vpn to wan so that's ok. Does the client have a default route to your FGT over the vpn?
 
#2
kssupport
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/10 02:02:01
  • Status: offline
Re: Internet access for VPN SSL CLIENT 2020/10/06 17:31:26 (permalink)
0
hello.
 
noted. wan to ssl already deleted.
thanks
 
Does the client have a default route to your FGT over the vpn --> do we need to create static route for this?
source : all, gateway: gateway FG (internet), interface ssl root?
 
#3
sw2090
Expert Member
  • Total Posts : 783
  • Scores: 58
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Internet access for VPN SSL CLIENT 2020/10/06 23:15:23 (permalink)
0
Not on the FGT. The Route must be clientside.
Since we don't use SSL VPN I can't say much about how to push routes with it.
#4
kssupport
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/10 02:02:01
  • Status: offline
Re: Internet access for VPN SSL CLIENT 2020/10/07 00:26:05 (permalink)
0
noted. will check. thanks
 
#5
fcb
Bronze Member
  • Total Posts : 49
  • Scores: 2
  • Reward points: 0
  • Joined: 2007/06/20 21:01:59
  • Status: offline
Re: Internet access for VPN SSL CLIENT 2020/10/08 13:21:54 (permalink)
0
No Internet means cannot access a web page? I asking in case there is DNS or other issue
 
Depending on the mode of the VPN you will NOT have a default gateway on the client.
 
A great tool for this is the built in packet sniffer. Log into the web UI or via SSH and type exactly this:
 
diagnose sniffer packet any 'host 10.10.10.10 and port 443' 4
 
Obviously replace 10.10.10.10 with the IP that your SSLVPN client has when connected. Either break down the packets or paste them into a txt file and post them back
#6
Jump to:
© 2020 APG vNext Commercial Version 5.5