Avatar of J Z
J Z
Flag for Belgium asked on

Fortigate SSL-VPN Split Tunneling question

Hi,

We have an externally hosted webserver for which we want to limit access to certain services (ports) to a limited set of IP addresses. One of them is our office's WAN range. While working at the office this won't pose any problems.

The issue is when a user works from home we want them to be able to start the FortiClient which will set-up an SSL-VPN tunnel to the office-LAN and configure it in such a way that it intercepts traffic to server A (which is outside of our LAN) and sends it over the SSL-VPN tunnel. That way the external webserver thinks the traffic is coming from our company's WAN address and the protected services will be accessible.

The SSL-VPN is set up in split tunneling mode and when I add the external webserver the user's local route-table is updated with an additional route that sends the traffic to the ssl-vpn interface. But the traffic is not routable (tracert fails).

Anyone knows (1) whether this is possible and (2) how to do it?

Thanks!
* FortigateVPN

Avatar of undefined
Last Comment
J Z

8/22/2022 - Mon
Garry Glendown

When adding to the Firewall ssl.root policies, adding single VIPs should result in the appropriate host routes to be added to the split tunneling routes installed at the client. Make sure you do not add the whole outside range, as this might interfere with the client being able to communicate with the firewall for the VPN tunnel itself ...
J Z

ASKER
That's what i tried. I added the IP address of the external server to a policy the way you descibe it. I see it showing up in the routing table of the machine that is setting up the ssl-vpn. The entry's gateway is set correctly (=internal IP of the ssl-vpn on the fortigate). Also when I do a tracert I see that the first hop is the correct IP (towards the ssl-vpn gateway). But after the first hop the packet gets lost.

That why I'm wondering: does it need any additional routing or something else?

In the first place: Are you sure it is possible to add an external address and make the device send that traffic outside to the server with originating IP the WAN interface?
ASKER CERTIFIED SOLUTION
Garry Glendown

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
J Z

ASKER
It worked the way you suggested. I had the wrong outgoing interface configured. Thank you so much!!
Your help has saved me hundreds of hours of internet surfing.
fblack61