Created on 12-23-2005 12:00 AM
Description | Allowing internal hosts to access remote VPN FortiClient users |
Components |
|
Steps or Commands | A VPN tunnel configured on a FortiGate unit for remote dialin FortiClient users, will typically involve a Phase1 configured in ‘Dialup User’ Aggressive mode, and a Phase 2 that will be shared by all remote VPN users. Below is a sample configuration: config vpn ipsec phase1 The above configuration will work if all traffic originates from the remote users, to access an internal resource. A problem may occur if internally generated traffic behind the FortiGate unit, needs to access a remotely connected VPN user. The FortiGate unit may not be able to properly route the traffic to that individual remote user, since by default it will not create host routes for the remote FortiClient VIP (Virtual IP) clients, and will use a network route instead. This can be confirmed with the # diag vpn tun list sa[4]:mtu=1434, cur_bytes=0, timeout=1794 itdb[1]:mtu=1434, cur_bytes=0, cur_packets=0, spi=3aac868f, replay=64 DES=f2ee4622f8b2ed87 otdb[1]:mtu=1434, cur_bytes=0, cur_packets=0, spi=58fcea5d, replay=64 DES=05b3e39a108531e6 The solution is to configure the Phase 2 "single-source" setting via the CLI. This will create host egress routes for the individual VPN clienst. config vpn ipsec phase2 # diag vpn tun list channel[2]:172.31.225.205,natt=0,state=2,keepalive=0,oif=3 sa[4]:mtu=1434, cur_bytes=0, timeout=1792 itdb[1]:mtu=1434, cur_bytes=0, cur_packets=0, spi=3aac8690, replay=64 DES=840b78f6de8d8754 DES=e2fb1ae14ec3e7d1 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.