J Z
asked on
Fortigate: access IPSEC remote site over ssl-vpn
Question for the Fortigate specialists:
We have an IPSEC tunnel to a remote site which works fine when on-site (ie connected to the local LAN). What we want to achieve is when users are connected to the Forticlient SSL-VPN that they can access the IPSEC connected remote site over their SSL-VPN tunnel. When I add the policy the user's local routing table (pointing to the ssl-vpn interface on the fortigate) is correctly adapted once the ssl-vpn tunnel is up and running. When doing a tracert I see the traffic going in the right direction (ssl-vpn interface). But after that it's stuck.
This is the policy I created:
First main question is: Is this supposed to work or is it an unsupported config on a Fortigate firewall?
Thanks.
Kind Regards,
We have an IPSEC tunnel to a remote site which works fine when on-site (ie connected to the local LAN). What we want to achieve is when users are connected to the Forticlient SSL-VPN that they can access the IPSEC connected remote site over their SSL-VPN tunnel. When I add the policy the user's local routing table (pointing to the ssl-vpn interface on the fortigate) is correctly adapted once the ssl-vpn tunnel is up and running. When doing a tracert I see the traffic going in the right direction (ssl-vpn interface). But after that it's stuck.
This is the policy I created:
edit 9
set uuid 2c7df5c4-...-ade256f63fad
set srcintf "ssl.root"
set dstintf "IPSEC-ABC"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "IPSEC-ABC_remote_subnet_1"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set groups "sslvpn_usergroup"
set nat enable
next
First main question is: Is this supposed to work or is it an unsupported config on a Fortigate firewall?
Thanks.
Kind Regards,
ASKER
I'm not sure what you mean. The thing is it used to work like this before the upgrade to 4.5.5. And we didn't have to do all of those things you mention.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I had a call with Cristian and he did some further explanation on the issue. Changing my ssl-vpn client range to a small range within my LAN subnet did the job.
Thank you so much for your help Cristian!
Thank you so much for your help Cristian!
You will need to do a SNAT or put your SSLVPN_TUNNEL_ADDR1 addresses in the same subnet with IPSEC-ABC_local_subnet_1.
The traffic will be sent from SSLVPN to Fortigate, Fortigate will send your traffic over VPN due matching route, but will not return due IPSEC policy.