Avatar of Arie Lavi
Arie Lavi
Flag for Israel asked on

SSL VPN to IPsec

Hi all,
I have a FW problem,
I've got two fortigate firewalls connected by IPsec VPN which is working great. users can connect to the main site also with SSL VPN. The problem is that when an SSL VPN user can't get to the remote site computes,
The main site address is 192.168.1.0/24,
The remote site address is 10.0.0.0/24
The SSL VPN address is 172.16.0.(100-110).
The phase 2 in the IPsec VPN is configurd with 0.0.0.0 and I've tried all the policies from the cookboos I could find but I still can't get it to work. The SSL Tunnel is split and the remote site address is configure in it.
What am I doing wrong?
Is there any suggestions on how can I resolve it?

Thanxs in advance
* FortigateInternet Protocol SecurityVPN

Avatar of undefined
Last Comment
Qlemo

8/22/2022 - Mon
John

I am not familiar with the Fortigate but using Cisco, I would set up two different tunnels - one for IPsec and one for SSL.  Did you set up a separate tunnel for the SSL users?
Qlemo

The general issue with such connections is that they need to use "hairpinning" - receiving, decryping, encrypting and sending all on the same interface. That is not as simple as it looks like ;-):

The FortiGate has good tracing capabilities, starting with policy logging and traffic logging.
I would start with a traceroute on the client to "remote site". This should show if the SSL VPN is passed at all.
Then switch on logging for both concerned policies - the dial-in one and the site-2-site, then send one or more pings, and check the logs.
ASKER CERTIFIED SOLUTION
Sandeep Gupta

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Qlemo

Arie Lavi, you cannot be serious by accepting that last comment.
It is important that you choose comments really being at least part of the solution.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck