AnsweredHot!Web portal traffic coming from MGMT port when traversing PtP IPsec VPN

Author
Duncan
Bronze Member
  • Total Posts : 26
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/09/11 20:10:29
  • Status: offline
2020/01/28 16:50:39 (permalink) 6.0
0

Web portal traffic coming from MGMT port when traversing PtP IPsec VPN

We have been using the remote access SSL VPN for sometime. We were using a private WAN to connect our three sites together. Recently, we removed the WAN and setup a site-to-site IPsec VPN over the Internet. This has been working fine for a few weeks except today I noticed a problem. I cannot connect to resources over the IPsec VPN from the remote access web portal. We especially use the RDP option. I have been playing around with firewall rules and it all looks good. I now believe the problem is because the traffic is originating from the default MGMT IP (192.168.1.99). I know this because a sniffer reveals this:
49.628847 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478
50.622905 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478
52.623622 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478
56.635057 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478
64.667940 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478
This seems to only apply to the web portal traversing over the IPsec VPN. If I remove anyone of those, it works fine. Does anyone know if it is possible to change the originating IP? Alternatively, I guess I could reconfigure this management IP to be inside our site ranges.
 
Three sites
Three FortiGates: 200E, 100E, 100E
All running 6.0.7
post edited by Duncan - 2020/01/28 16:51:53
#1
Toshi Esumi
Expert Member
  • Total Posts : 2234
  • Scores: 215
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Web portal traffic coming from MGMT port when traversing PtP IPsec VPN 2020/01/28 17:35:46 (permalink) ☄ Helpfulby Duncan 2020/01/28 18:21:07
5 (1)
First, you're using web mode SSL VPN. If it's a tunnel mode with FortiClient, individual users have own source IP you set in a pool. Second, you don't seem to have an IP address configured on the tunnel interface "VPNInt". If you're using interface mode/route-base IPsec (phase1-interface/phase2-interface) you're supposed to set an IP on both ends of the tunnel. Then in this case, that IP would be used to access the remote resources over the tunnel.
#2
Duncan
Bronze Member
  • Total Posts : 26
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/09/11 20:10:29
  • Status: offline
Re: Web portal traffic coming from MGMT port when traversing PtP IPsec VPN 2020/01/28 18:22:34 (permalink)
0
Thanks mate. That makes sense. I don't recall reading about setting a IP in the tutorial. How is this done? Via standard CLI interface commands I assume. Can you point me in the direction of the doco?
#3
Toshi Esumi
Expert Member
  • Total Posts : 2234
  • Scores: 215
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Web portal traffic coming from MGMT port when traversing PtP IPsec VPN 2020/01/28 22:08:58 (permalink) ☼ Best Answerby Duncan 2020/01/30 01:00:45
5 (1)
You can find some example if you search with "FortiGate site-to-site VPN CLI configuration" on the internet. But it's so simple I'll explain it here:

It's under "config sys int". After getting into "edit VPNInt", just run "show" to see what's configured now. Then add below to the existing config. Below IPs are just an example. You can change them to any private IP set.

config sys interface
   edit VPNInt
      set ip 10.0.0.1 255.255.255.255
      set allowaccess ping
      set remote-ip 10.0.0.2 255.255.255.255
   next
end

You need to reverse "set ip" and "set remote-ip" on the other end obviously. Don't worry about /32 net-mask. Because these two /32s would be injected into the routing-table as "connected routes" separately. So they don't actually have to be in a /30 but better to be in in case the other side is not a FGT.

GUI config exmaples often don't have this part of config, which I hate. Because it causes problems like yours and denying the biggest benefit of "interface mode/route-base" IPSec vs. "policy-base". You can treat it just like a regular interface on a router. 
#4
Duncan
Bronze Member
  • Total Posts : 26
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/09/11 20:10:29
  • Status: offline
Re: Web portal traffic coming from MGMT port when traversing PtP IPsec VPN 2020/01/30 01:00:20 (permalink)
0
Thanks mate. Worked a treat.
#5
Jump to:
© 2020 APG vNext Commercial Version 5.5