New Member

Question

IPsec VPN issue between incoming and outcoming vpn traffic

Forum|Forum|3 years ago
November 29, 2022
3 replies
3330 views

Hello All,

i am a new Fortigate User.

We have configure on our Fortigate Version 7.07 2 VPN Access.
One over SSL VPN, and one over IPSec.

Additional we have an Tunnel VPN between our Company and an other Company over IPsec.

Now in the past, we have physical access from an other company on a local port. After changing the access from directly, to IPSEC we have a little bit trouble with the access.

Both VPN connection for our employeys (SSL VPN & IPSec) must have access to the additional VPN IPsec Connection from our Company Partner.

They must have access to Webserver. So we have a explicit Proxy for our internal Network, all Traffic is outgoing to a ZScaler Server, only the webadresses from our Partner Company are excepted. Internal, and per SSL VPN all traffic works fine.

But after the changeover from the connected Partner Company, the accesss to the Webserver not possible.
I can see in the traffic log, that the connection from IPsec Netzwork is outgoing over the wrong interface.

The traffic for the exceptions for the webproxy is not working.

SSLVPN works fine
IPsec works internal fine, but the exception from the proxy.pac is not used.

I think i canot a route, the ipsec musst have access to the internel ressources. Only in the webproxy defined expections must route the traffic to the additional neu IPsec .

I hope anyone can help me.

Regards
Stefan

FortiGate

Anthony_E

Staff

Hello Stefan,

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Regards,

Best Regards

Anthony_E

Staff

Hello Stefan,

We are still looking for someone to help you.

We will come back to you ASAP.

Regards,

Best Regards

Markus_M

Staff & Editor

Hi Stefan,

your setup and history sounds complicated. It will help to visualize the setup. Not necessarily for us, but generally. Apart from the explicit proxy it sounds like routing problems. Either the end users/site are missing the routes or the FortiGate is.

On the IPsec tunnel in the phase2 config, do make sure that the FortiGate has its own networks listed, the ones that have to be reachable from the other IPsec endpoint. Routes are there done automatic.

Important: If the networks/subnets are not overlapping(!) you can simply create static routes on the FortiGate to go to the certain interfaces for specific subnets.

Overlapping subnets as some historically grown and merged environments might have, are problematic and should be avoided. Routing is not easy and if the networks grow, maintenance on these is getting harder.

What will help on the CLI is to monitor the traffic and from the client to create traffic - icmp/ping

As such on the CLI you can run

diag sniff packet any 'icmp' 4 0 a

It will show you on which interface traffic is received, what are the addresses (src/dst) and the interface traffic is leaving again (provided you have a fitting firewall policy in place). NAT on the FW policy might be tricky and usually not needed as the traffic in internal networks (tunnels are internal) is considered routable.

Hope this helps for starting.

Best regards,

Markus

samreinAuthor

New Member

Hey Markus,

thank you very much for your answer. Now I think we have found the problem. After I corrected the routing addresses, I could see that our traffic is sent through the correct connection port. But the other side did not allow the traffic from the complete sub net. SSL VPN and IPSec are configured on the same sub net, but the other side only has a part from that sub net in its routing table and allowed policies. So I opened a support ticket and hope that the problem will be solved.

Thanks a lot!

Best regards,
Stefan

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded