Technical Tip: Allowing SSL VPN users to access remote LAN via IPsec
Description
Scope
Solution
For v5:
edit 0
set srcintf "wan1"
set dstintf "port1"
set srcaddr "all"
set dstaddr "local_192.168.1.0/24"
set action ssl-vpn
set identity-based enable
config identity-based-policy
edit 1
set schedule "always"
set groups "Guest-group"
set service "ALL"
set sslvpn-portal "full-access"
next
end
next
edit 0
set srcintf "ssl.root"
set dstintf "port1"
set srcaddr "SSLVPN_TUNNEL"
set dstaddr "local_192.168.1.0/24"
set action accept
set schedule "always"
set service "ALL"
next
set srcintf "ssl.root"
set dstintf "port1"
set srcaddr "SSLVPN_TUNNEL"
set dstaddr "local_192.168.1.0/24"
set action accept
set schedule "always"
set groups "Guest-group"
set service "ALL"
next
"SSLVPN_TUNNEL" = 192.168.8.0/24
On FGT1:
- Existing policies for IPsec to access internal networks:
config firewall policy
edit 0
set srcintf "Ipsec1"
set dstintf "port1"
set srcaddr "remote_10.10.1.0/24"
set dstaddr "local_192.168.1.0/24"
set action accept
set schedule "always"
set service "ALL"
edit 0
set srcintf "port1"
set dstintf "Ipsec1"
set srcaddr "local_192.168.1.0/24"
set dstaddr "remote_10.10.1.0/24"
set action accept
set schedule "always"
set service "ALL"
- Static route pointing to the remote LAN 10.10.1.0/24:
config router static
edit 0
set device Ipsec1
set dst 10.10.1.0 255.255.255.0
next
end
To check if the routes are learned:
get router info routing-table database
For SSL VPN users to access remote LAN through IPsec these policies are needed:
For web mode:
config firewall policy
edit 0
set srcintf "wan1"
set dstintf "Ipsec1"
set srcaddr "all"
set dstaddr "remote_10.10.1.0/24"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
For tunnel mode:
edit 0
set srcintf "ssl.root"
set dstintf "Ipsec1"
set srcaddr "SSLVPN_TUNNEL"
set dstaddr "remote_10.10.1.0/24"
set action accept
set schedule "always"
set service "ALL"
In v5.2 users/group of users must be selected in this policy.
On FGT2:
- Existing policies for IPsec to access internal networks with adjustments for SSL VPN access:
config firewall policyedit 0
set srcintf "Ipsec2"
set dstintf "port2"
set srcaddr "remote_192.168.1.0/24" "SSLVPN_TUNNEL"
set dstaddr "local_10.10.1.0/24"
set action accept
set schedule "always"
set service "ALL"
edit 0
set srcintf "port2"
set dstintf "Ipsec2"
set srcaddr "local_10.10.1.0/24"
set dstaddr "remote_192.168.1.0/24" "SSLVPN_TUNNEL"
set action accept
set schedule "always"
set service "ALL"
Static routes:
config router static
edit 0
set dst 192.168.1.0 255.255.255.0
set device "Ipsec2"
next
edit 0
set dst 192.168.8.0 255.255.255.0
set device "Ipsec2"
next
end
Best practices:
If more than one portal is configured with tunnel access, each portal must have a unique IP-Range for clients (it should not overlap with internal or remote network subnets). All these IP-Pools must be selected in SSL Settings.
For v5.2.x:
For v5.0.x:
Basic troubleshooting:
- Testing ping from SSL VPN client to a remote host with sniffer:
diagnose sniffer packet any "host x.x.x.x and icmp" 4 0 aor
diagnose sniffer packet any "host x.x.x.x and icmp" 6 0 a
(converted into pcap file in wireshark)
Ctrl+C to stop the sniffer, where the host is either the IP of the SSL VPN client or the host on the remote network.
Testing with debug flow:
proto 1 = ICMP
proto 6 = TCP
proto 17 = UDP
diagnose debug reset
diagnose debug flow filter clear
diagnose debug flow filter addr x.x.x.x
diagnose debug flow filter proto 1
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug flow trace start 1000
(now start pinging)
diagnose debug flow trace stop
diagnose debug disable
diagnose debug reset