[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2601
  • Last Modified:

Fortigate client VPN users need to hop over IPSEC static VPN

We have 2 sites, each with a Fortigate 200B managing the VPN.  The two sites have an IPsec VPN tunnel that is up all the time.  Users and easily see all the servers and files between the two sites.  The problem we have is that many users connect to either site A or B using the Fortinet SSL  VPN client.  Those users only see the site they connect to.  So users connecting to Site A can't see anything on Site B and the same with users connecting to site B.  They cannot see anything on site A.  Site A uses 192.168.0 subnet and site B uses 192.168.24 subnet.  The routes on the IPsec VPN tunnel handle this nicely.  The users on site A connecting with the SSL VPN get the  10.100.000 subnnet and users on the site B SSL VPN get assigned 10.100.101 subnet addresses.  

Is there anyway to get users connecting with SSL VPN on site A to see servers and files on site B?

1 Solution
I am not too familiar with fortigate's specific implementation of SSL VPN, but generally with mobile access VPN's, you have to configure which routes are advertised to the client. In this case it looks like your different subnets are not being advertised as routes through the VPN, which is why you can only access that specific subnet when you VPN into the different sites. I would look into adding those somewhere in the SSL VPN configuration, since it sounds like your client machines just don't know where to send data to for those remote subnets.
Lytron55Author Commented:
You are exactly right.  We do have the routes in there, but only the routes on each end to the other destination VPNs, not the source VPNs.  Someday, this will be second nature to me.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now