SSL VPN to IPsec

Hi all,
I have a FW problem,
I've got two fortigate firewalls connected by IPsec VPN which is working great. users can connect to the main site also with SSL VPN. The problem is that when an SSL VPN user can't get to the remote site computes,
The main site address is,
The remote site address is
The SSL VPN address is 172.16.0.(100-110).
The phase 2 in the IPsec VPN is configurd with and I've tried all the policies from the cookboos I could find but I still can't get it to work. The SSL Tunnel is split and the remote site address is configure in it.
What am I doing wrong?
Is there any suggestions on how can I resolve it?

Thanxs in advance
Arie LaviSystem AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I am not familiar with the Fortigate but using Cisco, I would set up two different tunnels - one for IPsec and one for SSL.  Did you set up a separate tunnel for the SSL users?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
The general issue with such connections is that they need to use "hairpinning" - receiving, decryping, encrypting and sending all on the same interface. That is not as simple as it looks like ;-):

The FortiGate has good tracing capabilities, starting with policy logging and traffic logging.
I would start with a traceroute on the client to "remote site". This should show if the SSL VPN is passed at all.
Then switch on logging for both concerned policies - the dial-in one and the site-2-site, then send one or more pings, and check the logs.
Sandeep GuptaConsultantCommented:
I think it is routing problem, you need to check where ssl vpn user traffic is dropping?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Arie Lavi, you cannot be serious by accepting that last comment.
It is important that you choose comments really being at least part of the solution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.