I also have a static route in place to go from the VPN IP Subnet to the VPN. There is one policy in place that is set up with Incoming Interface (172 VPN), Source Address (VPN Subnet), Outgoing Interface (172 VLAN), Destination Address (172 Subnet). Set authusrgrp "172 IPSec VPN User Group" At this point I believe that the VPN is routing across the internal interface rather than the VLAN sub-interface. I have a single policy set up allowing traffic from the VPN Subnet to the 172 Subnet (always/ALL) and a static route set up from the VPN Subnet to the VPN.ĭoing a tracert while connected to the VPN shows it hitting my primary internal interface rather than the VLAN interface. I have the 172.22.5.0/24 Subnet set up as a firewall object as well as the VPN subnet. On the internal interface I have a VLAN set up with the proper VLAN ID and 172.22.5.6/24 as the IP address. But from the VPN the cisco is the only IP address I can ping successfully. If I SSH in to the cisco device I can ping everything on that subnet no problem. Pinging and tracerouting via the Fortigate CLI succeeds to all 172 subnet addresses as expected as well. User can connect, is unable to ping any of our internal IP addresses and can even ping the IP address (172.22.5.2/24) on our core cisco stack. So far I have an IPSec VPN set up that works almost flawlessly. They requested an IPSec VPN to access via the FortiClient. The use case is as such: PLC vendor needs access to specific VLAN on our network so they can remotely manage their systems. I'm tired of beating my head against this wall and am hoping one of you may have a sledgehammer or wrecking ball I can borrow.
0 kommentar(er)
