Allow traffic from ssl-vpn to enter site to site tunnel on fortigate

yong · ‎12-02-2016

Hi,

I have 2 x Fortigate 100D on 2 different location connected to each other by Site-to-Site VPN. I have SSL VPN on 1 site of the UTM and this is to allow remote users to access to LAN of Site A. Is it possible for the existing SSL VPN users to access to LAN of Site B since it is connected to each other using Site-to-Site VPN?

Please advise

thanks

mateo22it · ‎12-02-2016

Hi,

yes, you can. I have similar configuration in my environment. If it works properly IP routing between Site A and Site B via Site-to-Site VPN tunnel. I will assume yes. So it will be only firewall rules issue. You need to create firewall rules on both FG100D (inboud and outcoming). For example, Incoming interface "ssl.root" --> Outcoming interface VPN-S-t-T.

BR,

yong · ‎12-02-2016

Hi,

thanks for your comment. I tried setting up the firewall rules but i still cannot access the LAN on Site B. The Site-To-Site VPN tunnel is working.

I just need the SSL VPN IP range from Site A to be able to access Site A LAN as well as Site B LAN. Do I need to create firewall rules in Site B? What should be the incoming and outgoing interface be since we are not using SSL VPN in site B. Do I need to set any static route?

I am using the latest FortiOS.

thanks

rwpatterson · ‎12-03-2016

There are two right answers here. The one you choose depends on how the VPN tunnel was built.

Policy or Interface based VPN:

You need to NAT the traffic to an unused IP address or range on the LAN on the site A (concentrator) FGT unit. This will masquerade the SSL VPN traffic so that it will match the IP selectors and traverse the tunnel. Nothing needs to be done on the remote unit for this to work as desired.

Interface based VPN:

1) Add phase two selectors in both units to cover the SSL VPN IP subnet range

2) Add policies in both units to cover the new traffic traversing the tunnel

3) Add a static route to the remote FGT that will point the new subnet back down the IPSec tunnel (lower distance, higher priority)

Those are your options. In my opinion, the second option is a bit more work but much cleaner to debug in the future since the traffic coming across presents it's native IP address.

Hope that helps

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

jabjoernstad · ‎09-26-2018

Hi rwpatterson,

I have the same issue. But I dont have FGT in both ends... Do you have an example for how to set up the solution with NAT?

I have tried without success.

BR

Jon Anders

rwpatterson · ‎09-27-2018

Create an IP pool with an unused IP address in the LAN space that is allowed to transit the tunnel. In the SSL VPN policy that points to site B, enable NAT and use the IP address from the pool you just created. This will send all SSL VPN traffic to the remote subnet using the one IP address in the pool. Something to be aware from with this setup:

All traffic hitting any remote servers will share the MAC/IP address of the FGT interface/IP pool.

If that remote subnet has servers that you need compliance logging on, you won't have much success with that simple approach. At the end of the day, you will reach that subnet though.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Toshi_Esumi · ‎12-02-2016

You need to have a route for the SSL VPN client subnet on site B FG going toward the tunnel unless SSL VPN client is NATed with an IP within site A subnets at the site A FG.