Skip to main content
locals919
locals919
New Member
April 29, 2018
Question

SSL traffic doesn't through into IPsec tunnel with SSL subnet

  • April 29, 2018
  • 2 replies
  • 7305 views

Hi Guys, 

 

I have seen so many threads on this topic and i followed each and everyone but no success so far. I would like to explain you my situation. I have made a tunnel (route-based) between FGT and Cisco ASA and that is working fine with no issue. I have included all my networks like local, SSL and remote in IPsec phase2 selectors and implement the policies as required. My SSL user can connect to FGT successfully and can reach my local network but cant through into the Ipsec tunnel. 

 

After few attempts, i have used a trick and changed my SSL subnet same as my local subnet and i got through into tunnel and SSL user can use resources on both local and remote network. BUT obviously this is not a solution which i want to see. I want to understand what is missing in my configuration. I would really appropriate any advise. 

 

Local Subnet - 192.168.2.0/24

Remote Subnet - 192.168.40.0/24

SSL Subnet - 10.10.10.0/24

 

Regards, 

Moami

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    April 29, 2018

    SSL VPN comes from ssl.root, if not vdom env, just like IPSec comes from its own interface. So you have to have a route for 10.10.10.0/24 subnet to ssl.root and a policy from (and to if local or the other end of IPSec need to reach them) the SSL VPN clients. Probably you know this part well.

    Then, the IPSec needs to carry the traffic fro/to 10.10.0/24 so ASA needs to have a proper route and policy (I'm not an ASA expert) for the same subnet. My guess is on the ASA side.

    locals919
    locals919Author
    New Member
    April 30, 2018

    Hi, 

     

    Thanks for the reply,

     

    I have already configured routing on FGT, one static route to IPsec pointing to remote network. one static route to ssl.root pointing to 10.10.10.0/24.The polices are set from IPsec to ssl.root and from ssl.root to ipsec. 

     

    The ipsec tunnel is up and running. i have configured a default route on ASA pointing to internet and setup a policy to allow FGT local and ssl subnet. Still cant access ipsec tunnel via ssl client. 

     

    Only way that things works is change my ssl subnet same as local subnet then i can connect tunnel via ssl. 

     

    I will be appreciated any advise. 

     

     

    Regds

    rwpatterson
    rwpatterson
    New Member
    April 30, 2018

    Make sure the static route to both tunnels is lower than the default gateway distance.

    locals919
    locals919Author
    New Member
    May 2, 2018

    Thanks guys for your comments !

     

    I have fixed this issue. I have done following steps, 

     

    FGT End:

    - Created IPsec tunnel (Policy Based)

    - Allowed policy LAN to WAN with ipsec action for site to site tunnel

    - using one default route 0.0.0.0/0.0.0.0 ---> WAN

    - Allowed policy for SSL.root to Ipsec with action ipsec, included local and remote protected traffic

     

    ASA End:

    - Created Object group for both Local. remote and ssl

    - Created access-list and allowed protected traffic

    - disable NAT

    - Created default route outside 0.0.0.0/0.0.0.0 ---> next hop

     

    Enjoy ! :)

     

    Terms & ConditionsAccessibility statement