SSL-VPN traffic not passed through Site-to-Site IPSec VPN

Author
obrienw
Bronze Member
  • Total Posts : 30
  • Scores: 2
  • Reward points: 0
  • Joined: 2008/08/20 13:24:46
  • Status: offline
2014/01/10 13:58:22 (permalink)
0

SSL-VPN traffic not passed through Site-to-Site IPSec VPN

I' m not able to access a branch office on the other side of an IPsec VPN when I SSL-VPN into the HQ. However I' ve found a workaround using IP Routing in Windows every time I connect, but I' m kind of curious why that' s required.

HQ - FG110C, v4 MR3, Subnets 10.0.0.0/24, 10.1.0.0/24
Branch Office FWF40C, v4 MR3, Subnet 10.6.0.0/24

IPsec VPN (route/interface based) between the two offices. Works fine inside either office.

SSL-VPN on the HQ FortiGate (IP Pool: 172.32.254.0/23). Works fine to the HQ subnets. Split-tunneling is on.

Policies on both FGs allow traffic to and from the ssl.root interface and the ssl.root subnet (172.32...) via the IPsec interface.

Using FortiClient 4.3.5.472.

When I SSL-VPN into the HQ FG, I checked the IP Routes (Windows) and noticed that the 10.0.0.0/24 and 10.1.0.0/24 subnets were added, routed through gateway 172.32.254.2 (the fortissl adapter gateway).

So I just added a route:
route add 10.6.0.0 mask 255.255.255.0 172.32.254.2 if 51
(where 51 is the fortissl interface id number) and blammo, traffic goes through just fine.



Any idea why the branch office subnet isn' t automatically being handled by the FortiClient?
< Message edited by obrienw -- 1/10/2014 2:03:54 PM >
#1

2 Replies Related Threads

    Selective
    Expert Member
    • Total Posts : 2742
    • Scores: 117
    • Reward points: 0
    • Joined: 2007/07/03 10:44:56
    • Location: Gothenburg - Sweden
    • Status: offline
    RE: SSL-VPN traffic not passed through Site-to-Site IPSec VPN 2014/01/10 23:43:11 (permalink)
    4 (1)
    You need to add the 10.6.0.0 network to your SSLVPN configuration so that the Fortigate
    pushes that network out to the FortiClient.

    Its done in the firewall policy in " destination address" .
    #2
    obrienw
    Bronze Member
    • Total Posts : 30
    • Scores: 2
    • Reward points: 0
    • Joined: 2008/08/20 13:24:46
    • Status: offline
    RE: SSL-VPN traffic not passed through Site-to-Site IPSec VPN 2014/01/11 11:04:30 (permalink)
    0
    Got it, thank you.

    For clarification, this is under the (HQ) wan1 -> port1, Action: SSL-VPN policy. The destination addresses listed there are what are sent to the SSL-VPN client.
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5