Skip to main content
febelus
febelus
New Member
July 18, 2019
Question

connect roadwarrior ssl vpn to sito 2 site ipsec tunnell

  • July 18, 2019
  • 2 replies
  • 6496 views

hi,

i've configured a ispec site to site tunnell and a lot of ssl roadwarrior vpn. Now i want to comunicate from ssl roadwarrior to ipsec tunnel but does not work.i can comunicate from ssl to all my netowrk and from ipsec to all my network. i create a policy from ssl to ipsec and viceversa but 2 network does not comunicate.

    2 replies

    rwpatterson
    rwpatterson
    New Member
    July 18, 2019

    Welcome to the forums.

     

    Are the unreachable networks local to the Fortigate?

     

    If not:

    Make sure your phase 2 selectors cover the SSL VPN IP ranges.

    Make sure you have all the necessary static routes defined for the remote (and SSL) networks.

    Make sure you have all the necessary policies in place, originating from both directions.

    febelus
    febelusAuthor
    New Member
    July 18, 2019

    phase 2 ipsec cover ssl subnet range

    i've static route for  :

    1 destionation remote_subnet_ipsec no gateway interface ipsec tunnell

    2 destionation remote_subnet_ipsec no gateway interface blackhole

    3 destination remote_roadwarrior_ssl no gateway interface ssl.root

     

    i've configured policy for connection from ssl.root interface to ipsec_tunnell_interface

     

    but ipsec can connect to all subnet but no roadwarrior and roadwarrior can connect to all subnet but not to ipsec_tunnell

     

    febelus
    febelusAuthor
    New Member
    July 18, 2019

    this is the traffic log from roadwarrior_remote (172.16.198.10) to ipsec remote (10.100.1.4)

     

    Security  Level notice  General  Log ID 0000000013  Session ID 666284  Time 17:16:09  Tran Display noop  VDom root  Source  Device Name FG5H0E5819900765  Group VPN_TEST  Source 172.16.198.10  Source Interface ssl.root  Source Port 51177  Source Interface Role undefined  Destination  Destination 10.100.1.4  Destination Interface AZURE_CLASSIC  Destination Port 3389  Destination Interface Role undefined  Action  Firewall Action timeout  Policy ID 110  Application  Application Type unscanned  Protocol 6  Service RDP  Data  Duration 18  Received Packets 0  Sent Packets 3  Type  Sub Type forward  Type traffic  Others  Policy Type policy
    rwpatterson
    rwpatterson
    New Member
    July 18, 2019

    What is/are the phase 2 selectors?

    Terms & ConditionsAccessibility statement