Article Id
189639
Description
Solution
This article explains how to setup FortiClient IPSec VPNs to be allowed to connect to multiple, non-sequencial subnets. This can be useful where it is required to be able to reach two different subnets via the same VPN tunnel.
Subnet masking cannot be used in this instance because the subnets are non-sequencial. (For example, the subnets are 192.168.1.0/24 and 10.0.0.0/8.)
Solution
1. On the FortiClient create a VPN and add the required subnets. Start by adding the destination subnet:
2. Then add the second and subsequent subnets. This is done using the FortiClient VPN > Advanced edit menu.
3. On the FortiGate create a firewall address for each of the two subnets, and then create a firewall address group to include these subnets as members. From Command line, modify the phase2 from CLI as follows:
config vpn ipsec phase2 #or phase2-interface if ipsec is set to be route based (that is:. interface mode
edit <phase2 name>
set dst-addr-type name
set src-addr-type name
set dst-name all
set src-name <the firewall address group name created in step 1>
next
end
4. Create new or modify the existing firewall policy whichever appropriate to allow traffic from the new subnet to be encrypted to the dialup tunnel.
Related Articles
Technical Note : Setup a dialup IPSec VPN between Cisco Unity client and FortiGate
Setting up a VIP address for dialup ipsec VPN between FortiGate and FortiClient
