Hot!IPsec Client VPN

Author
selokoeb
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/08/31 05:42:32
  • Status: offline
2021/08/31 05:49:48 (permalink)
0

IPsec Client VPN

HI, I have setup a client to site vpn in my firewall. Now I have created different IPsec VPNs for different departments but they are using the same remote gateway. I want to control the environments that different departments need to access. The issue is that once I enable the different policies for the different groups, the forticlient cannot connect. But once I disable all the policies and enable only one policy, I am able to connect and access my network. What could be the issue?
#1

3 Replies Related Threads

    sw2090
    Expert Member
    • Total Posts : 1012
    • Scores: 85
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: IPsec Client VPN 2021/09/01 02:19:24 (permalink)
    0
    hm maybe if you enable those policies no one matches the vpn traffic? Without (matching) policy the vpn will not connect. IPSec Debug log on cli on your FGt will show you a corresponding error upon connecting in this case.
     
    I control different vpns (S2S as well as C2S) by simply using the corresponding vpn interface as source interface and the corresponding vpn subnet as source address(es). Works fine here.

    -- 
    "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
    #2
    selokoeb
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/08/31 05:42:32
    • Status: offline
    Re: IPsec Client VPN 2021/09/01 22:22:59 (permalink)
    0
    OK, thanks for your response. Now tell me, how would you go about configuring a C2S IPsec vpn for an organization and then separate each department so that they can access only the networks they have the right to access?
     
    #3
    sw2090
    Expert Member
    • Total Posts : 1012
    • Scores: 85
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: IPsec Client VPN 2021/09/02 00:09:48 (permalink)
    0
     would do that per department. Each department has a C2S to HQ. So all ppl at a department can dial in using that C2S of their department. This will require using peer ids at the remote gw to have he FGT use the right tunnel. Then you could do mode config to distribute ip adresse to clients and then you could use that tunnel interface plus subnet for policies...
     
    I here have C2S to our HQ for Homeoffice, for the it dept and some more and they are done that way and it works fine.

    -- 
    "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
    #4
    Jump to:
    © 2021 APG vNext Commercial Version 5.5