Hello. I have some experience with VPN but not much. Long story short I have an urgent (and perhaps temporary) need to set up a a site to site VPN between my company and a small partner. The purpose is to print directly from an application on our network to printers at theirs. We have Fortigate, they have a router that does not have VPN support. My company has one of our PC's on the partners LAN which we have remote access to (Splashtop). Among other ideas, one of them is to install SoftEther on the PC, forward UDP ports 500 and 4500, and create the VPN from the Fortigate to the SoftEther.
I've attempted to test this using my home network but I am stuck. I successfully forwarded the ports to the computer on my home LAN which is running SoftEther. I checked the box for IPSec Site to Site VPN, configured a PSK. Configured the VPN on the FG side as best I know, using the same PSK, my home ISP public IP as the remote peer, the local and remote networks that make up the VPN, etc. On the Fortigate side the VPN never comes up. In the SoftEther log file I see entries like this (IP's hidden):
2023-01-28 23:46:34.229 IPsec Client 418 (Company IP:4500 -> Home LAN IP:4500): A new IPsec client is created.
2023-01-28 23:46:35.239 IPsec Client 419 (Company IP:500 -> Home LAN IP:500): A new IPsec client is created.
2023-01-28 23:46:35.239 IPsec IKE Session (IKE SA) 247 (Client: 419) (Company IP:500 -> Home LAN IP:500): A new IKE SA (Main Mode) is created. Initiator Cookie: 0xB0F2BFAEA0FDFF4F, Responder Cookie: 0x4123EF14830E0EBE, DH Group: MODP 1536 (Group 5), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 256 bits, Lifetime: 4294967295 Kbytes or 86400 seconds
2023-01-28 23:46:35.260 IPsec Client 419 (Company IP:500 -> Home LAN IP:500): This client (Client 419) and the other client (Client 418) is the same client. So they are merged to the client 418.
2023-01-28 23:46:35.260 IPsec Client 418 (Company IP:4500 -> Home LAN IP:4500):
2023-01-28 23:46:35.260 IPsec IKE Session (IKE SA) 247 (Client: 418) (Company IP:4500 -> Home LAN IP:4500): This IKE SA is established between the server and the client.
2023-01-28 23:46:44.233 IPsec Client 418 (Company IP -> Home LAN IP:4500): This IPsec Client is deleted.
2023-01-28 23:46:44.233 IPsec IKE Session (IKE SA) 247 (Client: 418) (Company IP:4500 -> Home LAN IP:4500): This IKE SA is deleted.
Would anyone possibly be able to help me or point me in the right direction? Thanks!
Fortigate to SoftEther IPSec Site to Site VPN?
-
- Posts: 4
- Joined: Sun Jan 29, 2023 4:39 am
-
- Posts: 4
- Joined: Sun Jan 29, 2023 4:39 am
Re: Fortigate to SoftEther IPSec Site to Site VPN?
Well, now I have been tinkering for hours, and something must have happened, I can no longer get ANY kind of connections showing in the logs at all, not for the past hour, I've tried every setting I can see on the SoftEther and the Fortinet, every time of VPN connection and option, and now I see nothing at all in the log file, rebooted, some thing. Weird and frustrating.
-
- Posts: 1297
- Joined: Sun Feb 14, 2021 10:31 am
Re: Fortigate to SoftEther IPSec Site to Site VPN?
- urgentimposter_syndrome wrote: ↑Sun Jan 29, 2023 4:55 amI have an urgent (and perhaps temporary) need... to print directly from an application on our network to printers at theirs... LAN which we have remote access to (Splashtop).
- temporary
- print only
- Splashtop exists already
Splashtop printing is optimal in this scenario.
-
- Posts: 4
- Joined: Sun Jan 29, 2023 4:39 am
Re: Fortigate to SoftEther IPSec Site to Site VPN?
- urgentsolo wrote: ↑Sun Jan 29, 2023 10:43 am[quote=imposter_syndrome post_id=98012 time=<a href="tel:1674968127">1674968127</a> user_id=36217]
I have an urgent (and perhaps temporary) need... to print directly from an application on our network to printers at theirs... LAN which we have remote access to (Splashtop).
- temporary
- print only
- Splashtop exists already
Splashtop printing is optimal in this scenario.
[/quote]
Splashtop printing is not going to help us print from our business application to these printers. Do you know how to get the VPN working?
-
- Posts: 1297
- Joined: Sun Feb 14, 2021 10:31 am
Re: Fortigate to SoftEther IPSec Site to Site VPN?
For some reason you don't like the optimal way so here is the next easiest one:
- on the remote LAN install SoftEther Server
- bridge it to a LAN NIC
- from your location connect SoftEther Client to VPN Azure address
- on the remote LAN install SoftEther Server
- bridge it to a LAN NIC
- from your location connect SoftEther Client to VPN Azure address
-
- Posts: 4
- Joined: Sun Jan 29, 2023 4:39 am
Re: Fortigate to SoftEther IPSec Site to Site VPN?
For some reason you don't like to answer the question. The application sending the print jobs is an AS/400. SoftEther Client doesn't pertain. I am trying to get the site to site IPSEC vpn working. MIght you know how to do that?
-
- Posts: 1297
- Joined: Sun Feb 14, 2021 10:31 am
Re: Fortigate to SoftEther IPSec Site to Site VPN?
It does. Considering new info provided, let's update the setup:
- on the remote LAN install SoftEther Server
- don't bridge, enable SecureNAT on it (all defaults)
- from your location connect SoftEther Client to VPN Azure address
assumptions for illustration:
- remote LAN (with the printer) 10.1.1.0/24
- local LAN 10.2.2.0/24
- local Windows PC with SoftEther Client 10.2.2.2
- local AS/400 computer 10.2.2.3
config:
- on 10.2.2.2 start the "Routing and Remote Access" service
- on 10.2.2.3 add a static route equivalent of: ip route add 10.1.1.0/24 via 10.2.2.2
- if VPN Azure is too slow and you can do port forwading then switch to direct connection
That's all. Fortigate with L2TP/IPsec may not be this easy, if feasible at all.