Open mielvds opened 3 years ago
DimitriPapadopoulos
commented
3 years ago Do you expect to reach these specific subnets through the VPN tunnel or different routes?
Said differently, are the 10.55.0.0 and 10.56.0.0 private networks behind the VPN gateway?
hbog
commented
3 years ago Yes these networks are behind the VPN gateway. Furthermore the networks 10.50 and 10.9 are also behind the VPN gateway and they van be reached.
DimitriPapadopoulos
commented
3 years ago I suspect these networks are simply not reachable from the VPN gateway because of firewalls and other network filtering, on purpose or not. Are you supposed to be able to reach them?
mielvds
commented
3 years ago Hi Dimitri,
Yes, that should be the case. In fact, other colleagues with more or less the exact same setup can reach the servers. With an alternative openvpn tunnel, the routing also works.
What locations must openfortivpn be able to write to? I was thinking it might be some OSX missing permission issue
DimitriPapadopoulos
commented
3 years ago What do you mean exactly by "more or less the exact same setup" and "alternative openvpn tunnel"?
I understand that whatever the client (openfortivpn or FortiClient) you are unable to reach these 10.55.0.0 and 10.56.0.0 private networks behind the FortiGate gateway. It looks like these private networks are simply unreachable from the FortiGate gateway. If these networks are reachable from an alternative OpenVPN gateway, I recommend you investigate why they are reachable from the OpenVPN gateway but not the FortiGate gateway. Looks like a routing issue on the FortiGate gateway to me - unless you have evidence that shows a problem client-side.
DimitriPapadopoulos
commented
3 years ago Could it be a DNS problem instead of a routing problem? Are you perhaps able to reach servers on these networks by IP address, but not by DNS name?
mielvds
commented
3 years ago What do you mean exactly by "more or less the exact same setup" and "alternative openvpn tunnel"?
With the former, I mean that we both have the same macbook pro with no special routing configuration. With latter, I mean what you had already suspected: we also have an (soon to be deprecated) openvpn gateway that leads to the same networks.
I understand that whatever the client (openfortivpn or FortiClient) you are unable to reach these 10.55.0.0 and 10.56.0.0 private networks behind the FortiGate gateway. It looks like these private networks are simply unreachable from the FortiGate gateway. If these networks are reachable from an alternative OpenVPN gateway, I recommend you investigate why they are reachable from the OpenVPN gateway but not the FortiGate gateway. Looks like a routing issue on the FortiGate gateway to me - unless you have evidence that shows a problem client-side.
Thanks, that's a good suggestion. We have done some packet inspection, but the PING packets didn't seem to leave my machine.
Could it be a DNS problem instead of a routing problem? Are you perhaps able to reach servers on these networks by IP address, but not by DNS name?
Unlikely, because a PING to the IP address was unsuccessful.
DimitriPapadopoulos
commented
3 years ago With the former, I mean that we both have the same macbook pro with no special routing configuration.
I can see why you suspect this is related to the specific setup of this macOS machine. I suggest you run openfortivpn -v -v --pppd-log=pppd.log on both machines and check differences between the two macOS machines, the one that works and the one that doesn't.
When using openfortivpn (or FortiClient VPN) I cannot reach specific subnets on OSX (in my case 10.54/16 & 10.55/16); ping is not responding. The routing table looks ok. Did anybody else encounter a similar issue?