Hot!Allow traffic from ssl-vpn to enter site to site tunnel on fortigate

Author
yong
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/08/11 18:30:45
  • Status: offline
2016/12/02 01:04:49 (permalink)
0

Allow traffic from ssl-vpn to enter site to site tunnel on fortigate

Hi,
 
I have 2 x Fortigate 100D on 2 different location connected to each other by Site-to-Site VPN. I have SSL VPN on 1 site of the UTM and this is to allow remote users to access to LAN of Site A. Is it possible for the existing SSL VPN users to access to LAN of Site B since it is connected to each other using Site-to-Site VPN?
 
Please advise
 
thanks
#1

6 Replies Related Threads

    mateo22it
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/12/01 02:36:44
    • Status: offline
    Re: Allow traffic from ssl-vpn to enter site to site tunnel on fortigate 2016/12/02 02:40:46 (permalink)
    0
    Hi,
     
    yes, you can. I have similar configuration in my environment. If it works properly IP routing between Site A and Site B via Site-to-Site VPN tunnel. I will assume yes. So it will be only firewall rules issue. You need to create firewall rules on both FG100D (inboud and outcoming). For example, Incoming interface "ssl.root" --> Outcoming interface VPN-S-t-T.
     
    BR,
    #2
    Toshi Esumi
    Expert Member
    • Total Posts : 1624
    • Scores: 137
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Allow traffic from ssl-vpn to enter site to site tunnel on fortigate 2016/12/02 09:32:05 (permalink)
    0
    You need to have a route for the SSL VPN client subnet on site B FG going toward the tunnel unless SSL VPN client is NATed with an IP within site A subnets at the site A FG.
    #3
    yong
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/08/11 18:30:45
    • Status: offline
    Re: Allow traffic from ssl-vpn to enter site to site tunnel on fortigate 2016/12/02 21:49:47 (permalink)
    0
    Hi,
     
    thanks for your comment. I tried setting up the firewall rules but i still cannot access the LAN on Site B. The Site-To-Site VPN tunnel is working.
     
    I just need the SSL VPN IP range from Site A to be able to access Site A LAN as well as Site B LAN. Do I need to create firewall rules in Site B? What should be the incoming and outgoing interface be since we are not using SSL VPN in site B. Do I need to set any static route? 
     
    I am using the latest FortiOS.
     
    thanks
    #4
    rwpatterson
    Expert Member
    • Total Posts : 8404
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: Allow traffic from ssl-vpn to enter site to site tunnel on fortigate 2016/12/03 06:23:46 (permalink)
    0
    There are two right answers here. The one you choose depends on how the VPN tunnel was built.
     
    Policy or Interface based VPN:
    You need to NAT the traffic to an unused IP address or range on the LAN on the site A (concentrator) FGT unit. This will masquerade the SSL VPN traffic so that it will match the IP selectors and traverse the tunnel. Nothing needs to be done on the remote unit for this to work as desired.
     
    Interface based VPN:
    1) Add phase two selectors in both units to cover the SSL VPN IP subnet range
    2) Add policies in both units to cover the new traffic traversing the tunnel
    3) Add a static route to the remote FGT that will point the new subnet back down the IPSec tunnel (lower distance, higher priority)
     
    Those are your options. In my opinion, the second option is a bit more work but much cleaner to debug in the future since the traffic coming across presents it's native IP address.
     
    Hope that helps

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #5
    jabjoernstad
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/06/12 02:39:59
    • Status: offline
    Re: Allow traffic from ssl-vpn to enter site to site tunnel on fortigate 2018/09/26 10:02:41 (permalink)
    0
    Hi rwpatterson,
     
    I have the same issue. But I dont have FGT in both ends... Do you have an example for how to set up the solution with NAT?
    I have tried without success.
     
    BR
    Jon Anders
    #6
    rwpatterson
    Expert Member
    • Total Posts : 8404
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: Allow traffic from ssl-vpn to enter site to site tunnel on fortigate 2018/09/27 11:44:37 (permalink)
    0
    Create an IP pool with an unused IP address in the LAN space that is allowed to transit the tunnel. In the SSL VPN policy that points to site B, enable NAT and use the IP address from the pool you just created. This will send all SSL VPN traffic to the remote subnet using the one IP address in the pool. Something to be aware from with this setup:
    All traffic hitting any remote servers will share the MAC/IP address of the FGT interface/IP pool.
    If that remote subnet has servers that you need compliance logging on, you won't have much success with that simple approach. At the end of the day, you will reach that subnet though.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #7
    Jump to:
    © 2019 APG vNext Commercial Version 5.5