VPN concentrator behind FG

VPN
1

Hey Guys, have some issues getting a 1 armed vpn concentrator working behind a fortigate.

FG IP 10.0.1.2
Concentrator : 10.0.1.1
Client vpn Subnet 10.0.70.0/24

When connected to the vpn subnet remotely I get issued the correct 10.0.70 IP and I can access all internal resources and the FG. However I can’t get internet access.
The FG has a static route of 10.0.70.0/24 via 10.0.1.1 and the concentrators default gw is the FG.

If I run a trace to google for example it hits the FG 10.0.1.2 and stops.

It’s not a firewall policy as I have enabled an allow all rule.

Any ideas

2

Did you run a debug flow? That should tell you what’s happening to the packet.

3

Thanks for the tip, this is the output

id=20085 trace_id=19 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=1, 10.0.70.137:39429->8.8.8.8:2048) from vlan_server. type=8, code=0, id=39429, seq=163."id=20085 trace_id=19 func=resolve_ip_tuple_fast line=5702 msg="Find an existing session, id-000199f3, original direction"id=20085 trace_id=19 func=npu_handle_session44 line=1159 msg="Trying to offloading session from vlan_server to wan1, skb.npu_flag=00000000 ses.state=00013204 ses.npu_state=0x00001008"id=20085 trace_id=19 func=fw_forward_dirty_handler line=399 msg="state=00013204, state2=00000000, npu_state=00001008"id=20085 trace_id=20 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=1, 10.0.70.137:39429->8.8.8.8:2048) from vlan_server. type=8, code=0, id=39429, seq=164."id=20085 trace_id=20 func=resolve_ip_tuple_fast line=5702 msg="Find an existing session, id-000199f3, original direction"id=20085 trace_id=20 func=npu_handle_session44 line=1159 msg="Trying to offloading session from vlan_server to wan1, skb.npu_flag=00000000 ses.state=00013204 ses.npu_state=0x00001008"id=20085 trace_id=20 func=fw_forward_dirty_handler line=399 msg=“state=00013204, state2=00000000, npu_state=00001008”

4

I don’t see any SNAT due to it not being the full output, so I can’t say with 100% certainty and I don’t have the time to lab it right now to see what the actual output should look like with SNAT, but check that first.

The firewall isn’t blocking the traffic at least.

5

Sorted thanks mate. Looks like all I needed to do was activate the license on the FG and upgrade to latest firmware.

6

I would be very surprised if that ended up being the fix, because I labbed it up and saw that the SNAT message appears in every packet (wasn’t sure of this before) and you didn’t have any mention of that in your output. If you run the debug again do you see the SNAT now?

https://i.imgur.com/AJBPNFm.png

Red is without SNAT and blue with.

7

Hey There,

Thanks for doing that!. I did the capture again last night when it was not working and higher up it did mention SNAT.
Not entirely sure what fixed it but its working :slight_smile: Thanks again