Hot!Site to Site SSL

Author
AbdullahMohamed
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/04/02 05:05:29
  • Status: offline
2021/06/09 04:24:09 (permalink)
0

Site to Site SSL

Hello Dears
Now I have a FG located in AWS , and a branch Fortigate , this branch FG has inly two active ports , internal and external .
Now i am using the new ssl site to site feature (started from firmware 7.0 ) and after using it i have two issues
1- the internal users can normally access the internal subnet in AWS BUT i can not know the ip of the internal user from aws , as all users nated by the tunnel ip address assigned , is there anyway to know the true source ip of internal user ?
2- the vpn tunnel goes down after a random time and i have to disable an enable it to re authenticate how can i make it always up like ipsec tunnels ? Generally its not stable as ipsec
#1

5 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 6137
    • Scores: 422
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Site to Site SSL 2021/06/09 05:01:29 (permalink)
    0
    It's expected it's a new feature but what I would do in this case since hub-spoke,  is to use IPSEC. It works and works good for site-2-site vpns. I do not consider the vpn-ssl. site-2-site in the traditional sense, you are a vpn-client no different than a forticlient from that perspective. 
     
    Also when it's down, did you do any debug ?
     
    I would start 1st by taking your source-interface and throw that in a sniffer
     
    e.g
        diag packet sniffer wan1 "host x.x.x.x"
     
    Since you have so much at play AWS, EIP, new-feature,etc.... I would open a support case.
     
    Ken Felix
     
     

    PCNSE 
    NSE 
    StrongSwan  
    #2
    Yurisk
    Platinum Member
    • Total Posts : 241
    • Scores: 37
    • Reward points: 0
    • Joined: 2011/12/04 03:30:01
    • Location: Israel
    • Status: offline
    Re: Site to Site SSL 2021/06/09 06:15:22 (permalink)
    5 (1)
    SSL VPN as a client is described this way in documentation, so it is not correct to call it "site2site" but client-to-site. And in such case it is normal and expected for Fortigate to hide internal LAN , being the client.
    So, if you are doing it in production - abandon this ssl-client thing (at least until FortiOS 7.0.4) and use regular IPSec that works perfectly well with AWS. If, on the other hand, you are playing with it for the adventure of it and to be a pioneer - great, when you find the answers be sure to update us, we'll be thankful :).
     

    Yuri
    https://yurisk.info/ blog: All things Fortinet, no ads.
    #3
    emnoc
    Expert Member
    • Total Posts : 6137
    • Scores: 422
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Site to Site SSL 2021/06/09 09:40:58 (permalink)
    0
    Agreed and if you want ipsec-client dialup. The fortigate has always supported this.
     
    http://socpuppet.blogspot.com/2019/10/fortigate-dialup-vpn-ipsec-from-2nd.html
     
     
    The sslvpn does the same, but with SSL ;) Neither arr true lan-2-lan fwiw.
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #4
    AbdullahMohamed
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/02 05:05:29
    • Status: offline
    Re: Site to Site SSL 2021/06/10 04:07:47 (permalink)
    0
    Hello dears
    I can not use IPSEC as referring to my country policy the are not allowing ipsec tunnels through dynamic public IP , and for static ones you must buy a LL to have it , so I have to use SSL
    #5
    emnoc
    Expert Member
    • Total Posts : 6137
    • Scores: 422
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Site to Site SSL 2021/06/10 08:28:07 (permalink)
    0
    So is GRE or L2TP being blocked? Just curious 
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #6
    Jump to:
    © 2021 APG vNext Commercial Version 5.5