2

I have a fortigate 90b(?) running 5.4. wan1 is set to a publically accessible address. Our internal network is 192.168.100.0

I can connect via ipsec and I can access the gateway, which is the fortigate, at 192.168.100.1, when connected, but I can't traverse the internal network or the internet through the gateway. I gave up on split tunneling until I can figure things out. The VPN is setup as:

   edit "IPSEC_Cisco"
        set type dynamic
        set interface "wan1"
        set mode aggressive
        set peertype one
        set mode-cfg enable
        set proposal aes256-md5 aes256-sha1
        set dhgrp 2
        set wizard-type dialup-cisco
        set xauthtype auto
        set authusrgrp "vpnUsers"
        set peerid "linux"
        set ipv4-start-ip 192.168.100.170
        set ipv4-end-ip 192.168.100.180
        set ipv4-netmask 255.255.255.0
        set dns-mode auto
        set ipv4-split-include "all"
        set psksecret ENC [key]
    next

Phase 2

config vpn ipsec phase2-interface
    edit "IPSEC_Cisco"
        set phase1name "IPSEC_Cisco"
        set proposal aes256-md5 aes256-sha1
        set pfs disable
        set keepalive enable
    next


config firewall policy
    edit 17
        set name "IPSEC_Cisco_Internet"
        set uuid e8bc5412-ab3d-51e6-db87-ba2ff7d3aea2
        set srcintf "IPSEC_Cisco"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
    edit 18
        set name "IPSEC_CISCO_internal"
        set uuid bbe449ee-ac0b-51e6-de02-0ec32669842e
        set srcintf "IPSEC_Cisco"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next

I've tried everything I know of, which isn't much. Any insight appreciated.

Improve this question
1
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer.
    – Ron Maupin
    Commented Aug 15, 2017 at 17:18

1 Answer 1

Reset to default
2

There's 2 things I notice:

1- You assign IP addresses to the VPN clients in the same range as for internal (LAN) hosts. When a client dials in the FGT (90D) automatically creates a host route to this client. In your case, there are now 2 routes to the same subnet: one ad-hoc route to the client and one 'connected' route to the LAN. This shouldn't be the case.
When a client pings a host on the LAN the LAN host replies to a 'local' address. That is, it doesn't need to reply to the router (your FGT) but tries to find the client on the LAN, without success. Local addressing always has precedence over routing.

So, assign an unused address space to your VPN clients, like 172.16.172.[10-100].

2- You don't have to apply NAT in policy 18 (tunnel -> LAN) regardless of the client addresses used. As mentioned above the FGT will insert a matching route when you connect. You would only need to NAT if there was no route back.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.