Skip to main content
AbdullahMohamed
AbdullahMohamed
New Member
June 9, 2021
Question

Site to Site SSL

  • June 9, 2021
  • 1 reply
  • 4406 views
Hello Dears Now I have a FG located in AWS , and a branch Fortigate , this branch FG has inly two active ports , internal and external . Now i am using the new ssl site to site feature (started from firmware 7.0 ) and after using it i have two issues 1- the internal users can normally access the internal subnet in AWS BUT i can not know the ip of the internal user from aws , as all users nated by the tunnel ip address assigned , is there anyway to know the true source ip of internal user ? 2- the vpn tunnel goes down after a random time and i have to disable an enable it to re authenticate how can i make it always up like ipsec tunnels ? Generally its not stable as ipsec

    1 reply

    emnoc
    emnoc
    New Member
    June 9, 2021

    It's expected it's a new feature but what I would do in this case since hub-spoke,  is to use IPSEC. It works and works good for site-2-site vpns. I do not consider the vpn-ssl. site-2-site in the traditional sense, you are a vpn-client no different than a forticlient from that perspective. 

     

    Also when it's down, did you do any debug ?

     

    I would start 1st by taking your source-interface and throw that in a sniffer

     

    e.g

        diag packet sniffer wan1 "host x.x.x.x"

     

    Since you have so much at play AWS, EIP, new-feature,etc.... I would open a support case.

     

    Ken Felix

     

     

    Yurisk
    SuperUser
    Yurisk
    SuperUser
    June 9, 2021

    SSL VPN as a client is described this way in documentation, so it is not correct to call it "site2site" but client-to-site. And in such case it is normal and expected for Fortigate to hide internal LAN , being the client.

    So, if you are doing it in production - abandon this ssl-client thing (at least until FortiOS 7.0.4) and use regular IPSec that works perfectly well with AWS. If, on the other hand, you are playing with it for the adventure of it and to be a pioneer - great, when you find the answers be sure to update us, we'll be thankful :).

     

    emnoc
    emnoc
    New Member
    June 9, 2021

    Agreed and if you want ipsec-client dialup. The fortigate has always supported this.

     

    http://socpuppet.blogspot.com/2019/10/fortigate-dialup-vpn-ipsec-from-2nd.html

     

     

    The sslvpn does the same, but with SSL ;) Neither arr true lan-2-lan fwiw.

     

    Ken Felix

    Terms & ConditionsAccessibility statement