I have a FortiGate 90D (v5.2.5) that I have an IPSec VPN configured for FortiClient access via the VPN Wizard. My LAN and FortiClients are using different subnets.
I can access my LAN from my FortiClient computer, but I can't access my FortiClient computer from my LAN. If I traceroute from a LAN computer to the FortiGate-assigned IP address of my FortiClient computer, the packets are routed out to the Internet. I can ping the FortiClient computers from the CLI.
If I try to set up a static route to the subnet assigned to the FortiClients, I can not select the FortiClient VPN as the "device" (although I have options for SSL VPN, point-to-point IPSec VPNs, and physical interfaces). If I try to set up a Policy Route, I can see my FortiClient VPN as an interface, but I have no idea what to use as a gateway (and 0.0.0.0 doesn't work).
There's plenty of documentation on getting FortiClients to access the LAN, but none for accessing the FortiClients from the LAN.
Is there a trick I'm missing?
Best Answer
If you can reach LAN from your client then routing is working correctly, so you're probably mistaken in that packets from LAN to client go to the Internet (if you're not using NAT in-between).
Most probable cause is the you do not have reverse policy defined, that is - you have a policy from VPN to LAN but not from LAN to VPN, do you?