Skip to main content
philip_nl
philip_nl
Visitor III
July 5, 2023
Question

SSL-VPN routing

  • July 5, 2023
  • 2 replies
  • 3763 views

Hello,

I'm running into one issue concerning a laptop connecting with SSL VPN to a FortiGate.

The setup makes use of OSPF routing. The default routing for all traffic goes thru FG-A.

FortiGate FG-B is the entry point for SSL VPN.

Since all traffic has a default route to FG-A, the laptop cannot make a connection to FG-B, because that traffic is routed to FG-A via the IPsec tunnel, and not back to where it came from, the laptop.

I want all traffic go thru FG-A since that one has security profiles.

 

SSL-VPN.jpg

 

When I make one static route for the laptop of FG-B, the result is good for a working SSL VPN for that laptop:

FG-B # diagnose sniffer packet any 'host 1.2.8.201'
interfaces=[any]
filters=[host 1.2.8.201]
8.234645 1.2.8.201.26381 -> 10.0.22.2.443: syn 2953506651
8.234830 10.0.22.2.443 -> 1.2.8.201.26381: syn 1439558356 ack 2953506652
8.272586 1.2.8.201.26381 -> 10.0.22.2.443: ack 1439558357
8.320566 1.2.8.201.26381 -> 10.0.22.2.443: fin 2953506652 ack 1439558357
8.320937 10.0.22.2.443 -> 1.2.8.201.26381: fin 1439558357 ack 2953506653
8.339497 1.2.8.201.26381 -> 10.0.22.2.443: ack 1439558358
8.389289 1.2.8.201.26382 -> 10.0.22.2.443: syn 3605904456

 

Without the static route for the laptop, the result is:

FG-B # diagnose sniffer packet any 'host 1.2.8.201'
interfaces=[any]
filters=[host 1.2.8.201]
16.222300 1.2.8.201.27042 -> 10.0.22.2.443: syn 3741587175
17.214982 1.2.8.201.27042 -> 10.0.22.2.443: syn 3741587175
19.233017 1.2.8.201.27042 -> 10.0.22.2.443: syn 3741587175

 

Since the laptop's IP address is constantly changing, due to providers, and most of the devices have unknown IP adresses, it's difficult to make static routes for those devices.

 

So my question is, how to make it possible, that devices from the internet can succesfully connect to the FortiGate FG2 listening to SSL-VPN connections?

 

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
July 5, 2023

With the current network set-up on the FG-B, I don't think this is possible.

My wild idea is to have another connection between the router (maybe lan2 interface) and FG-B (wan2?) then assign a different interconnect subnet. Then set the port forwarding at the router to lan2.

At the FG-B, I would try a lower-priority(high number) static default route to wan2 while wan1 has a higher static default route. With this set up all internet bound traffic from FG-B goes out wan1 while it still accepts and returns traffic to SSL VPNs.

 

This is just my theory and never tested myself. There maybe some fallouts in this theory.

 

But this wocky setup is unnecessary if you simply move SSL VPN to FG-A, which is the common way.

 

Toshi

philip_nl
philip_nlAuthor
Visitor III
July 6, 2023

FG-A is occupied with other port wardings.

Can't imaging that this wocky setup is the first in this world being used.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
July 6, 2023

I would order additional IP from the ISP to make network more "normal". Or better, eliminate the router by moving the all routing functions into those FGTs if circuit handoff is Ethernet. Basically you have two routers at both locations splitting routing functions (including the VPN) between them.

 

Toshi

ebilcari
Staff
ebilcari
Staff
July 7, 2023

In this particular scenario I would suggest to try the Policy Routes. This need to be tested first, no guarantee that it will work but it's worth a shot. You have to get very specific in the matching conditions and try to select and route only the SSL VPN traffic.

Emirjon
philip_nl
philip_nlAuthor
Visitor III
July 8, 2023

Even with policy routes, you have to know the source IP address. Which are dynamically IP addresses of different providers.

I found a possibilty under:

config vpn ssl settings

   set auto-tunnel-static-route enable

But that does not work (yet).

 

ebilcari
Staff
ebilcari
Staff
July 10, 2023

Yes that's expected, I was suggesting to choose all IPs and test routing based on L4 ports used by the SSL VPN

Emirjon
Terms & ConditionsAccessibility statement