- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiGate SSL-VPN configuration and troubleshootin...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate SSL-VPN configuration and troubleshooting
I would like to connect directly from the SSL-VPN segment to the spokes segment.
This is network layout.
[PC]--<Internet SSLVPN>----[FGT60E@HUB]----<IPsecVPN>----[FGT60E@SPOKE1]----[LAN@SPOKE1]
|
|
|
----<IPsecVPN>----[FGT60E@SPOKE2]----[LAN@SPOKE2]
・Connection 1 below will be connected.
1-1.Connect to SSL-VPN via the Internet(IP address assignment by DHCP)
1-2.RDP connection from SSL-VPN segment to [FGT60E@HUB-LAN] segment's PC
1-3.Connection from that PC to [LAN@SPOKE1] segment's PC
・Connection 2 below will be not connected.
1-1.Connect to SSL-VPN via the Internet(IP address assignment by DHCP)
1-2.RDP connection from SSL-VPN segment to [LAN@SPOKE1] segment's PC
I want to implement Connection 2.
In addition to the LAN interface, [FGT60E@HUB] also has a DMZ interface.
When I ran TRACEROUTE at Conneciton2, the next hop reached the DMZ interface, resulting in an error.
I'm wondering if I need to add more routing or change the priority.
There is no problem <IPSecVPN>.
config [FGT60E@HUB] is as follows.
config system interface
edit "wan1"
set mode pppoe
set role wan
next
edit "dmz"
set ip 192.168.1.254 255.255.255.0
next
edit "internal"
set ip 172.16.1.254 255.255.255.0
next
config firewall policy
edit 1
set srcintf "ssl.root"
set dstintf "spoke1"
set srcaddr "all"
set dstaddr "LAN@SPOKE1"
set action accept
set schedule "always"
set service "ALL"
set groups "SSL-VPN-GRP"
set nat enable
next
edit 2
set srcintf "ssl.root"
set dstintf "spoke2"
set srcaddr "all"
set dstaddr "LAN@SPOKE2"
set action accept
set schedule "always"
set service "ALL"
set groups "SSL-VPN-GRP"
set nat enable
next
config router static
edit 1
set dst [IP address]
set device "spoke1"
next
edit 2
set dst [IP address]
set device "spoke2"
next
Regards
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey squid-c,
this is maybe a stupid question, but:
- you have policies from SSLVPN to spoke1 IPSec, and spoke2 IPSec, correct?
- those policies have NAT enabled?
-> the interfaces "spoke1" and "spoke2" are IPSec tunnel interfaces, I assume?
-> do the tunnel interfaces even have IPs set?
- usually, I see setup to allow traffic from SSLVPN to IPSec VPN as follows:
-> have routing and policies in place, and NO NAT
-> add the SSLVPN client IP range (set in SSLVPN settings and/or individual portals) to local P2 selectors in IPSec VPN
-> ensure the remote site has a route back for that subnet, allows the SSLVPN subnet, and has it added to P2 selectors
As an easier alternative (to integrate into existing IPSec setups), when you enable NAT in the policies simply ensure the traffic from SSLVPN has a source NAT to an IP that matches to existing P2 selectors (like NAT to an IP in the local LAN range).
IF the issue is with NAT as I suspect, either of the two options (NAT to something aside from interface IP, or disable NAT and route the sslvpn range) should resolve it,
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey squid-c,
this is maybe a stupid question, but:
- you have policies from SSLVPN to spoke1 IPSec, and spoke2 IPSec, correct?
- those policies have NAT enabled?
-> the interfaces "spoke1" and "spoke2" are IPSec tunnel interfaces, I assume?
-> do the tunnel interfaces even have IPs set?
- usually, I see setup to allow traffic from SSLVPN to IPSec VPN as follows:
-> have routing and policies in place, and NO NAT
-> add the SSLVPN client IP range (set in SSLVPN settings and/or individual portals) to local P2 selectors in IPSec VPN
-> ensure the remote site has a route back for that subnet, allows the SSLVPN subnet, and has it added to P2 selectors
As an easier alternative (to integrate into existing IPSec setups), when you enable NAT in the policies simply ensure the traffic from SSLVPN has a source NAT to an IP that matches to existing P2 selectors (like NAT to an IP in the local LAN range).
IF the issue is with NAT as I suspect, either of the two options (NAT to something aside from interface IP, or disable NAT and route the sslvpn range) should resolve it,
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the late reply.
This is solved. (I made sure his advice was set up properly.)
>In addition to the LAN interface, [FGT60E@HUB] also has a DMZ interface.
The cause was that the DMZ interface's type was 「physical」 interface.
Resolve it by changing the type to 「switch」 interface.
I think there is something wrong with the physical interface, but I don't really understand the cause.
It's resolved for now, but I'm still wondering.
Related Posts
- Log messages when forwarding traffic 134 Views
- Issues with activating proxy mode in... 82 Views
- Deactivate License 120 Views
- BGP modify the mask of a... 141 Views
- Migration of NAT/PAT rules from a... 247 Views
Labels
-
FortiGate
6,535 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.