Skip to main content
veechee
veechee
New Member
June 26, 2015
Question

Changed from static to OSPF for S2S VPNs, but now can't reach other site via SSLVPN

  • June 26, 2015
  • 4 replies
  • 6391 views

Hi all,

 

Been a while since I posted!  I am hoping somebody can help me figure out an issue!

 

BACKGROUND: I have two sites interconnected with three IPSec VPN tunnels.  I used to use static routing to prioritize them, but yesterday I changed to OSPF (following this document as a guide: http://docs.fortinet.com/uploaded/files/1693/using-redundant-OSPF-routing-over-IPsec-VPN.pdf).  It is working fine now between the two sites except for a couple of issues.

 

ISSUE 1:

When we use SSL VPN (always tunnel mode), we need resources at both sites (mainly file shares).  Since the change to OSPF, only resources in the office we connect to can be reached.  I have added the remote interface IPs for the IPSec interfaces for all policies on both FGTs just as they were for the site-to-site IPSec policies.  But traffic doesn't traverse the VPNs.  A traceroute goes nowhere.

 

ISSUE 2:

There are a couple of private subnets outside of the site 1 FGT (FGT1) that need to be access from site 2 (FGT2).  These subnets are defined as static routes on FGT1 with a gateway IP.  There is a policy on FGT1 to allow FGT2 IPSec tunnels to reach the WAN of FGT1, which previously, combined with a static route on FGT2, worked.  But with OSPF, even though I have advertised those subnets on FGT1, I cannot ping resources on those subnets.

 

I am totally new to OSPF... Happy it's working for the S2S VPNs, but I badly need ISSUE 1 fixed so I can keep using it!

 

Appreciate any and all help.

4 replies

veechee
veecheeAuthor
New Member
June 26, 2015

Adding some more info that I think may be relevant:

- Obviously, there is a static route declared for ssl.root on each FGT.  I used 10.x.99.192/255.255.255.192 for it.

- Only few /24 subnets are actually in use on each FGT, however, the routing declaration in OSPF on each box is a /16.  I carried this over from my old static routes, as I had given a /16 to each office before in static routes so I didn't have to maintain so many static routes (remember, I have three WAN interfaces at one site...).  So I declare 10.x.0.0/255.255.0.0 in OSPF.

In the routing monitor, I see that OSPF figures out what subnet is actually used (e.g., 10.x.x.0/24).  Could I be having an issue that my declared OSPF subnet crosses over with my SSLVPN subnet?  I don't think so, but putting it out there...

obfuscated
obfuscated
New Member
June 27, 2015

 

 

In the routing table of Fortigate A (You may have a pet name for it?) do you have an OSPF route for the address range you have assigned the SSL Users when they tunnel into Fortigate B (and vica versa).  If OSPF is not advertising this network across the link then the traffic will go from A to B but it wont know how to get back.  Its then defining how these are advertised or redistributed from a static?

 

 

Ob

emnoc
emnoc
New Member
June 28, 2015

The diag debug flow is your best friend.

 

veechee
veecheeAuthor
New Member
August 27, 2015

Getting back to this...

 

Leaving SSLVPN issues aside, the OSPF has been working well interoffice as all three WAN lines at the remote office are kept up all the time and transfer some data, which I like.

What bothers me though, is if WAN1 goes down (rare since it is the connection with an SLA and moves most of the traffic), I lose all three connections.  OSPF doesn't seem to failover the routing traffic from the WAN1 interface, so all traffic stops.  What do I need to do in order to have WAN2 or WAN3 become an alternate line to move the routing information?

Terms & ConditionsAccessibility statement