Skip to main content
yong
yong
New Member
December 2, 2016
Question

Allow traffic from ssl-vpn to enter site to site tunnel on fortigate

  • December 2, 2016
  • 2 replies
  • 24359 views

Hi,

 

I have 2 x Fortigate 100D on 2 different location connected to each other by Site-to-Site VPN. I have SSL VPN on 1 site of the UTM and this is to allow remote users to access to LAN of Site A. Is it possible for the existing SSL VPN users to access to LAN of Site B since it is connected to each other using Site-to-Site VPN?

 

Please advise

 

thanks

    2 replies

    mateo22it
    mateo22it
    New Member
    December 2, 2016

    Hi,

     

    yes, you can. I have similar configuration in my environment. If it works properly IP routing between Site A and Site B via Site-to-Site VPN tunnel. I will assume yes. So it will be only firewall rules issue. You need to create firewall rules on both FG100D (inboud and outcoming). For example, Incoming interface "ssl.root" --> Outcoming interface VPN-S-t-T.

     

    BR,

    yong
    yongAuthor
    New Member
    December 3, 2016

    Hi,

     

    thanks for your comment. I tried setting up the firewall rules but i still cannot access the LAN on Site B. The Site-To-Site VPN tunnel is working.

     

    I just need the SSL VPN IP range from Site A to be able to access Site A LAN as well as Site B LAN. Do I need to create firewall rules in Site B? What should be the incoming and outgoing interface be since we are not using SSL VPN in site B. Do I need to set any static route? 

     

    I am using the latest FortiOS.

     

    thanks

    rwpatterson
    rwpatterson
    New Member
    December 3, 2016

    There are two right answers here. The one you choose depends on how the VPN tunnel was built.

     

    Policy or Interface based VPN:

    You need to NAT the traffic to an unused IP address or range on the LAN on the site A (concentrator) FGT unit. This will masquerade the SSL VPN traffic so that it will match the IP selectors and traverse the tunnel. Nothing needs to be done on the remote unit for this to work as desired.

     

    Interface based VPN:

    1) Add phase two selectors in both units to cover the SSL VPN IP subnet range

    2) Add policies in both units to cover the new traffic traversing the tunnel

    3) Add a static route to the remote FGT that will point the new subnet back down the IPSec tunnel (lower distance, higher priority)

     

    Those are your options. In my opinion, the second option is a bit more work but much cleaner to debug in the future since the traffic coming across presents it's native IP address.

     

    Hope that helps

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    December 2, 2016

    You need to have a route for the SSL VPN client subnet on site B FG going toward the tunnel unless SSL VPN client is NATed with an IP within site A subnets at the site A FG.

    Terms & ConditionsAccessibility statement