Arie Lavi
asked on
SSL VPN to IPsec
Hi all,
I have a FW problem,
I've got two fortigate firewalls connected by IPsec VPN which is working great. users can connect to the main site also with SSL VPN. The problem is that when an SSL VPN user can't get to the remote site computes,
The main site address is 192.168.1.0/24,
The remote site address is 10.0.0.0/24
The SSL VPN address is 172.16.0.(100-110).
The phase 2 in the IPsec VPN is configurd with 0.0.0.0 and I've tried all the policies from the cookboos I could find but I still can't get it to work. The SSL Tunnel is split and the remote site address is configure in it.
What am I doing wrong?
Is there any suggestions on how can I resolve it?
Thanxs in advance
I have a FW problem,
I've got two fortigate firewalls connected by IPsec VPN which is working great. users can connect to the main site also with SSL VPN. The problem is that when an SSL VPN user can't get to the remote site computes,
The main site address is 192.168.1.0/24,
The remote site address is 10.0.0.0/24
The SSL VPN address is 172.16.0.(100-110).
The phase 2 in the IPsec VPN is configurd with 0.0.0.0 and I've tried all the policies from the cookboos I could find but I still can't get it to work. The SSL Tunnel is split and the remote site address is configure in it.
What am I doing wrong?
Is there any suggestions on how can I resolve it?
Thanxs in advance
I am not familiar with the Fortigate but using Cisco, I would set up two different tunnels - one for IPsec and one for SSL. Did you set up a separate tunnel for the SSL users?
The general issue with such connections is that they need to use "hairpinning" - receiving, decryping, encrypting and sending all on the same interface. That is not as simple as it looks like ;-):
The FortiGate has good tracing capabilities, starting with policy logging and traffic logging.
I would start with a traceroute on the client to "remote site". This should show if the SSL VPN is passed at all.
Then switch on logging for both concerned policies - the dial-in one and the site-2-site, then send one or more pings, and check the logs.
The FortiGate has good tracing capabilities, starting with policy logging and traffic logging.
I would start with a traceroute on the client to "remote site". This should show if the SSL VPN is passed at all.
Then switch on logging for both concerned policies - the dial-in one and the site-2-site, then send one or more pings, and check the logs.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Arie Lavi, you cannot be serious by accepting that last comment.
It is important that you choose comments really being at least part of the solution.
It is important that you choose comments really being at least part of the solution.