Skip to main content
pprior
pprior
New Member
June 14, 2022
Solved

SSL VPN to Site2Site VPN

  • June 14, 2022
  • 5 replies
  • 8221 views

Hi!

 

I've 2 Fortigate 40 with a IPSEC tunnel, working great.

Then in each one, I've a SSL vpn for client pc's, they can access local lan in both sites.

Problem is I need to allow access to Site 1 using SSL vpn on Site2.

Tried to adapt this https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/45836/ssl-vpn-to-ipsec-vpn but cant get it to work.

On Site2 I created a policy to allow SSLVPN traffic to access the VPN tunnel:

Income - SSLVPN

Outgoing - IPSEC Tunnel

Source - IP range for SSL and the ssl user group

Destination - The remote subnet on Site1

Tried with and without NAT, but doesnt work.

 

Don´t I need a policy to allow in Site1 also? Tried that also, but doesnt work.

 

Can anyone help or point another example?

 

Thansk in advanced

Best answer by ntaneja

Hi @pprior

 

If the config part is verified as per document shared. Please run below commands and share the output

 

* Login to FGT using putty ssh, log session and run below commands: 
diag debug reset 
diag debug en 
diag debug console timestamp enable 
diag debug flow filter clear 
diag debug flow filter addr X.X.X.X <<------[Replace X.X.X.X with Destination behind site B] 
diag debug flow filter proto 1 
diag debug flow trace start 999

Before executing above commands, ensure that there is no existing sessions from the IP . After executing above commands, connect sslvpn and ping to destination IP behind remote side. Once you see the output generated, enter following commands to turn off debugging- 

diag debug disable 
diag debug reset 

Share the client IP , dst IP for analysis

Log putty sessions first to both devices and then generate traffic.

 

 

Thanks

5 replies

GDiFi
Staff
GDiFi
Staff
June 14, 2022

Is SSL-VPN set to tunnel all or split-tunnel? 

 

You are right you will need an SSL-VPN to IPSEC policy on Site2 and then on Site1 you will need an IPSEC to LAN(or what ever destination port they need). 

 

If you do not NAT the policy on site2, you will need to make sure:

- the two sites do not use the same SSL-VPN subnet

- have the necessary routes on Site1

- IPSEC tunnels on both sides have the SSL-VPN subnet defined.

 

pprior
ppriorAuthor
New Member
June 15, 2022

Hi GDiFi!

It's split-tunnel

I confirm:

- the two sites do not use the same SSL-VPN subnet

- have the necessary routes on Site1 *** I think so...

- IPSEC tunnels on both sides have the SSL-VPN subnet defined. *** I edited the tunnel and it has an address group that includes lan and ssl vpn subnet

seshuganesh
Staff
seshuganesh
Staff
June 15, 2022

Hi Team,

 

Please ensure you have done all the configuration according to this article:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/45836/ssl-vpn-to-ipsec-vpn

Please check and keep us posted

pprior
ppriorAuthor
New Member
June 15, 2022

Tried using 7.0.6 version (current in the 2 fg) as a guide, but the ipsec is working and cannot delete all and restart from scratch, so I adapt it.

ntaneja
Staff & Editor
ntanejaAnswer
Staff & Editor
June 15, 2022

Hi @pprior

 

If the config part is verified as per document shared. Please run below commands and share the output

 

* Login to FGT using putty ssh, log session and run below commands: 
diag debug reset 
diag debug en 
diag debug console timestamp enable 
diag debug flow filter clear 
diag debug flow filter addr X.X.X.X <<------[Replace X.X.X.X with Destination behind site B] 
diag debug flow filter proto 1 
diag debug flow trace start 999

Before executing above commands, ensure that there is no existing sessions from the IP . After executing above commands, connect sslvpn and ping to destination IP behind remote side. Once you see the output generated, enter following commands to turn off debugging- 

diag debug disable 
diag debug reset 

Share the client IP , dst IP for analysis

Log putty sessions first to both devices and then generate traffic.

 

 

Thanks

pprior
ppriorAuthor
New Member
June 15, 2022
 
 Hi  ntaneja, and thanks!
ssl vpn ip on site 1: 10.212.130.1
destination ip on site 2: 192.168.101.2
Log:
2022-06-15 11:44:37 id=20085 trace_id=4 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=1936."
2022-06-15 11:44:37 id=20085 trace_id=4 func=init_ip_session_common line=6042 msg="allocate a new session-0000cc95, tun_id=0.0.0.0"
2022-06-15 11:44:37 id=20085 trace_id=4 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.0.0.1 via Site2Site"
2022-06-15 11:44:37 id=20085 trace_id=4 func=fw_forward_handler line=879 msg="Allowed by Policy-8:"
2022-06-15 11:44:37 id=20085 trace_id=4 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Site2Site, tun_id=0.0.0.0"
2022-06-15 11:44:37 id=20085 trace_id=4 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Site2Site"
2022-06-15 11:44:37 id=20085 trace_id=4 func=esp_output4 line=840 msg="IPsec encrypt/auth"
2022-06-15 11:44:37 id=20085 trace_id=4 func=ipsec_output_finish line=544 msg="send to external.ip.106.1 via intf-wan"
2022-06-15 11:44:41 id=20085 trace_id=5 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=1937."
2022-06-15 11:44:41 id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5949 msg="Find an existing session, id-0000cc95, original direction"
2022-06-15 11:44:41 id=20085 trace_id=5 func=npu_handle_session44 line=1183 msg="Trying to offloading session from ssl.root to Site2Site, skb.npu_flag=00000400 ses.state=01010204 ses.npu_state=0x04000100"
2022-06-15 11:44:41 id=20085 trace_id=5 func=fw_forward_dirty_handler line=410 msg="state=01010204, state2=00000001, npu_state=04000100"
2022-06-15 11:44:41 id=20085 trace_id=5 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Site2Site, tun_id=0.0.0.0"
2022-06-15 11:44:41 id=20085 trace_id=5 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Site2Site"
2022-06-15 11:44:41 id=20085 trace_id=5 func=esp_output4 line=840 msg="IPsec encrypt/auth"
2022-06-15 11:44:41 id=20085 trace_id=5 func=ipsec_output_finish line=544 msg="send to external.ip.106.1 via intf-wan"
 
ntaneja
Staff & Editor
ntaneja
Staff & Editor
June 15, 2022

Hi pprior,

 

Log:
2022-06-15 11:44:37 id=20085 trace_id=4 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=1936.">>> Packet entered FGT from ssl.root interface

2022-06-15 11:44:37 id=20085 trace_id=4 func=init_ip_session_common line=6042 msg="allocate a new session-0000cc95, tun_id=0.0.0.0">>session was allocated

2022-06-15 11:44:37 id=20085 trace_id=4 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.0.0.1 via Site2Site">>route to destination was found via tunnel "Site2Site"

2022-06-15 11:44:37 id=20085 trace_id=4 func=fw_forward_handler line=879 msg="Allowed by Policy-8:" >> traffic was allowed via policy 8 on this device

2022-06-15 11:44:37 id=20085 trace_id=4 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Site2Site, tun_id=0.0.0.0"
2022-06-15 11:44:37 id=20085 trace_id=4 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Site2Site"
2022-06-15 11:44:37 id=20085 trace_id=4 func=esp_output4 line=840 msg="IPsec encrypt/auth"
2022-06-15 11:44:37 id=20085 trace_id=4 func=ipsec_output_finish line=544 msg="send to external.ip.106.1 via intf-wan"
Then traffic was encrypted and sent out of wan interface on which VPN is formed.

Looking at this the packet left this FGT via tunnel "Site2Site" and policy ID 8.
Can you take the same capture on other side of FGT and share output.?
 
Thanks
A
Anonymous_User
Contributor
June 15, 2022

Hi there,

FGT1 IPSEC with FGT2.

SSLVPN connect to FGT2.
You want to access network on FGT1.

Here is the general idea:

On FGT2:

Income - SSLVPN

Outgoing - IPSEC Tunnel

Source - All

Destination - All

No NAT

ON FGT1 and FGT2.
On IPSEC phase2, please include SSLVPN ip range.
Looking at your summary, you are missing SSLVPN range on the Phase2.

pprior
ppriorAuthor
New Member
June 15, 2022

Hi, thanks for the help!

Even with the address groups including site2 lan and site vpn subnet, still doesnt work...

fg.JPG

A
Anonymous_User
Contributor
June 16, 2022

Please add the phase2 on both site. Make sure your static route using "to_FV_remote" Interface Site2Site. Im suspecting this issue related to routing now.

    EEHC
    EEHC
    Explorer III
    June 15, 2022

    I believe we have to check routing at the ends to ensure that the packets go through the tunnel. Also, we could check the log on FortiGate to confirm that the correct policies are matched. Normally, problems start at the routing and ends at the policy.

    Terms & ConditionsAccessibility statement