cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
DinoN
Ivory

Services on remote VPN server public IP inaccessible (blocked by VPN daemon)

Hi all,

I have a small 1100 appliance that is locally managed. There is  site-to-site VPN configured with remote Fortinet device. Site to site connectivity works OK, tunnel is brought up, packets are routed and services are accessible.

But, on our side we have exchange server behind CP device that is statically NATed with non CP IP address (there is additional IP assigned only for NAT servers). This setup works ok as mail flow is working.

Caveat is that behind this Fortinet there is exchange server published for remote domain. When VPN tunnel is down mail from our server to this remote server flows OK, when VPN tunnel is up (and this should be always up) then SMTP server on remote side is not accessible on the remote locations from our LAN.

In the log I am getting Block notification:

Today 12:07:37
 
 
VPN
daemon
 
Block
<server ip>
<remote ip>
SMTP
0
 

 

As there is specification for rule 0 it looks like some implied rule is doing this.

What is the scenario to avoid this (as it looks like CP is trying to route packets to this server over VPN) so that not only SNMP but any service on remote VPN gateway public IP are accessible?

Thanks,

DiNo

 

0 Kudos
1 Reply

Re: Services on remote VPN server public IP inaccessible (blocked by VPN daemon)

VPN defined on SMB usually send every paket sent to the Encryption domain (all networks behind peer GW) thru the VPN tunnel. An additional routable IP address will get paket by the internet, not VPN.

0 Kudos