Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dominikw
New Contributor II

dialup ipsec VPN + many interfaces/subnets

Hi ! I' m trying to setup access from notebook (FortiClient) to all my subnets on diferent interfaces (picture below). I set " interface mode" ipsec VPN with proper firewall polices (I think) but I can reach ONLY FIRST subnet definied in Forticlient. If I change sequence of subnets in client I can reach next one (alway only first one) so I think Fortigate config is OK. When I sniff traffic I can see that all packet (tested with icmp/ping) to all subnets are ok - I mean - echo request reach targets in every subnet AND echo replay is COME BACK through dialupVPN_interface !!! Do I need to setup 3 x Quick Mode Selectors (with proper subnets) in phase2 in this case ? Maybe I need to use agressive mode ? (but I think it doesn' t metter) Does anyone made config like this ? ... any working example ? ... Thanks in advance Dominik

Dominik Weglarz, IT System Engineer

Dominik Weglarz, IT System Engineer
9 REPLIES 9
dominikw
New Contributor II

I can use a " trick" , but that is not the point. When I set remote network in forticlient as 0.0.0.0/0 - all trafic is routed to Fortigate and I have access to all subnets. Then I had to create policy on FG to " let me out" to Internet. Everything works OK but Internet browsing is slow - all trafic goes to FG and then to Internet. I want to route via vpn ONLY traffic to my remote subnets and all the rest via my own connection. Is it possible on FG / FortiClient vpn ?

Dominik Weglarz, IT System Engineer

Dominik Weglarz, IT System Engineer
laf
New Contributor II

Nice scenario. Curiosity: for Internet access did you set up a FW rule from VPN_interface to wan1 with NAT? About your scenario: 0.0.0.0/0 should do it. You can t do it otherwise, I mean you have to sum up all your three networks and the result is 0.0.0.0/0. I see only one solution: change your networks IP_addressing_scheme for your DMZ in 192.168.3.0/24 and sum up all these three networks in 192.168.0.0/23 on your Forticlient config.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
dominikw
New Contributor II

Yep ! I did set up a FW rule from VPN to wan with NAT (IPsec in interface mode). I did almost the same for ssl-vpn only policy looks : ssl.root --> wan (with NAT) BTW Idea with 192.168.0.0/23 seems to be interesting, but in 10... I have many services and it' s impossible for now. I wonder what about : http://kc.forticare.com/default.asp?id=580&Lang=1&SID= ???

Dominik Weglarz, IT System Engineer

Dominik Weglarz, IT System Engineer
Not applicable

it is possible, by adding two subnets in forticlient config, and adding a policy for the second subnet. How to set up FortiClient IPSec VPN to reach multiple non-sequential remote subnets on a FortiGate; http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30815&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=452235&stateId=0 0 454243 i am now trying to do this with automatic policy server ipsec vpn, but still no luck yet....
dominikw
New Contributor II

Thanks man, thanks a lot !!!! Quick selector with names works perfect !!! Actually I use 4 subnets and I can get into everyone.

Dominik Weglarz, IT System Engineer

Dominik Weglarz, IT System Engineer
Not applicable

No problem, but i am intrested in your IPSEC way of connecting; are u using forticlients config or an automatic policy server? (with the forticlients presharedkey method it works, but i use ldap athentication with policy server so u dont have to mess around with keys, just the normal login people use at the office...)
dominikw
New Contributor II

I use forticlient config - PSK + xauth (FG as server with local accounts).

Dominik Weglarz, IT System Engineer

Dominik Weglarz, IT System Engineer
Sagrat

UP this topic, same subject but with Forti OS 5.6 and Forticlient 6.

 

Thanks !

sw2090
Honored Contributor

the most easiest way might be:

 

have policies that allow traffic from the subnet you use for connecting your ipsec (client ip).

then on the dial up tunnel:

if you created it with the wizzard you must convert it into a custo tunnel to have all the options.

Then enable mode config and split tunneling and set that to an address group containig all the subnets you need.

 

With that FortiClient will not touch your default route but give you a net route over your tunnel vor any of them subnets in the above address group. With the policies you can access them then.

 

Works fine here since 5.4.x and up to 6.0.8.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors