SSL VPN to IPsec
Hi all,
I have a FW problem,
I've got two fortigate firewalls connected by IPsec VPN which is working great. users can connect to the main site also with SSL VPN. The problem is that when an SSL VPN user can't get to the remote site computes,
The main site address is 192.168.1.0/24,
The remote site address is 10.0.0.0/24
The SSL VPN address is 172.16.0.(100-110).
The phase 2 in the IPsec VPN is configurd with 0.0.0.0 and I've tried all the policies from the cookboos I could find but I still can't get it to work. The SSL Tunnel is split and the remote site address is configure in it.
What am I doing wrong?
Is there any suggestions on how can I resolve it?
Thanxs in advance
I have a FW problem,
I've got two fortigate firewalls connected by IPsec VPN which is working great. users can connect to the main site also with SSL VPN. The problem is that when an SSL VPN user can't get to the remote site computes,
The main site address is 192.168.1.0/24,
The remote site address is 10.0.0.0/24
The SSL VPN address is 172.16.0.(100-110).
The phase 2 in the IPsec VPN is configurd with 0.0.0.0 and I've tried all the policies from the cookboos I could find but I still can't get it to work. The SSL Tunnel is split and the remote site address is configure in it.
What am I doing wrong?
Is there any suggestions on how can I resolve it?
Thanxs in advance
Last Comment
John
I am not familiar with the Fortigate but using Cisco, I would set up two different tunnels - one for IPsec and one for SSL. Did you set up a separate tunnel for the SSL users?
The general issue with such connections is that they need to use "hairpinning" - receiving, decryping, encrypting and sending all on the same interface. That is not as simple as it looks like ;-):
The FortiGate has good tracing capabilities, starting with policy logging and traffic logging.
I would start with a traceroute on the client to "remote site". This should show if the SSL VPN is passed at all.
Then switch on logging for both concerned policies - the dial-in one and the site-2-site, then send one or more pings, and check the logs.
The FortiGate has good tracing capabilities, starting with policy logging and traffic logging.
I would start with a traceroute on the client to "remote site". This should show if the SSL VPN is passed at all.
Then switch on logging for both concerned policies - the dial-in one and the site-2-site, then send one or more pings, and check the logs.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Arie Lavi, you cannot be serious by accepting that last comment.
It is important that you choose comments really being at least part of the solution.
It is important that you choose comments really being at least part of the solution.
VPN
A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.
26K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
