IPSec S2S tunnel to Azure: Additional SSL-VPN connectivity not working
Maybe you can give me a hint with the following situation:
We've setup an IPSec S2S connnection from our local FortiGate to Azure (virtual gateway, not a full FortiGate Virtual Appliance), following the cookbook: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/587640
This worked like a charm so far, great :)
Now I tried to add the ability to dial into our local network via the existing SSL-VPN connection (FortiClient) and then access the ressources on the remote side of the IPSec tunnel.
I tried this cookbook as references, but as it's not Fortigate-to-Fortigate, the Wizard won't provide the same settings: https://cookbook.fortinet.com/ssl-vpn-to-ipsec-vpn-56/index.html
Basically it's not working, I can't ping an Azure ressource via SSL-VPN remotely, while I can ping it from our local network.
I have checked:1. Additional policies for SSL-VPN --> IPSec tunnel and back2. A static route that routes everything for the Azure subnet range down the IPSec tunnel3. In the SSL-VPN Portal Split Tunneling settings, the Azure subnet range is in the "Routing Address" table, together with the local address range4. In the IPSec VPN tunnel I changed the "Phase 2 Selectors" from 0.0.0.0 - 0.0.0.0 to two new selectors: "Local to Azure" and "SSLVPN to Azure". Both selectors show Status "Up".
I don't really have a clue about phase 2 selectors though.. I tried to deduce this from the second cookbook, where the wizard was used - so I assume I might have gotten something wrong there? I'm not all certain about the various Encryption/Authentication pairs and the other settings there.
Any help or hints would be appreciated!
Thank you guys & stay safe