SSL VPN access to multiple subnets

Forum|Forum|18 years ago
February 22, 2008
3 replies
6080 views

Is there anyone who can explain how to configure my following case: Site A (headquarter) have a FGT60B (192.168.10.0/24) and site B have a FGT50A (192.168.3.0/24). We also have site C,D,E and F with same config. There is static site-to-site tunnels between Site A and all of the other sites. Site A have SSL/VPN configured. For a better control i want all remoteusers to access Site A instead of connect to " their own" FGT,s. All the sites can connect and work with servers in site A without any problem. Now, remoteusers need to access site B also. I have tried a couple of days with this config, but no success. All firmwares is MR6. What i can understand in MR6 there must be rules from ssl.root to something. Do i need to use concentrators as well? Thanks in advance //Christer

rwpatterson

New Member

If I understand this correctly, you wish all remote users to connect to site A via SSL VPN, then cruise through the IPSec tunnels to the other remote sites. If that is the case, then you need to make policies from ssl.root/IP address of remote user to site (C or D or E or F)/site subnet. This is easy if you defined the IPSec tunnels in interface mode. I would just make a zone of all these interfaces and make a single policy to this zone. If the SSL access already works, and the IPSec routing is already in place and working, this should be all you need to do. If you are using policy based IPSec tunnels it gets a bit more crazy.

ChristerAuthor

New Member

I,m using policy based VPN for all tunnels. Maybe the only way is to use concentrators anyway? /Christer

rwpatterson

New Member

Have you tried making an accept policy from ssl.root to the subnet address group? Also have you ensured that there is a static route from the SSL VPN IP address back to ssl.root? That' s no longer done automatically and must be done manually in MR6. Look in your static routes. The SSL VPN IP addresses in place before the conversion will be there as a guide.

ChristerAuthor

New Member

Thanks Bob. I have tried accept policy from ssl.root to the subnet and i,ve also checked the routes back to ssl.root. I think i will check if i can change the IPSec-tunnels from policy to interface mode. It looks easier to configure SSL VPN-access to multiple subnets that way. //Christer

rwpatterson

New Member

That was my next suggestion. (It works that way for me.) Good luck.

A

Anonymous_User

Contributor

I am also trying to accomplish the same thing. Would there be any difference in configuration for MR5 instead of MR6? Scott

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded