Fortigate client VPN users need to hop over IPSEC static VPN

Posted on 2012-08-30
Last Modified: 2012-08-30
We have 2 sites, each with a Fortigate 200B managing the VPN.  The two sites have an IPsec VPN tunnel that is up all the time.  Users and easily see all the servers and files between the two sites.  The problem we have is that many users connect to either site A or B using the Fortinet SSL  VPN client.  Those users only see the site they connect to.  So users connecting to Site A can't see anything on Site B and the same with users connecting to site B.  They cannot see anything on site A.  Site A uses 192.168.0 subnet and site B uses 192.168.24 subnet.  The routes on the IPsec VPN tunnel handle this nicely.  The users on site A connecting with the SSL VPN get the  10.100.000 subnnet and users on the site B SSL VPN get assigned 10.100.101 subnet addresses.  

Is there anyway to get users connecting with SSL VPN on site A to see servers and files on site B?

Question by:Lytron55
    LVL 13

    Accepted Solution

    I am not too familiar with fortigate's specific implementation of SSL VPN, but generally with mobile access VPN's, you have to configure which routes are advertised to the client. In this case it looks like your different subnets are not being advertised as routes through the VPN, which is why you can only access that specific subnet when you VPN into the different sites. I would look into adding those somewhere in the SSL VPN configuration, since it sounds like your client machines just don't know where to send data to for those remote subnets.

    Author Closing Comment

    You are exactly right.  We do have the routes in there, but only the routes on each end to the other destination VPNs, not the source VPNs.  Someday, this will be second nature to me.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Suggested Solutions

    This article is in response to a question ( here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now