Skip to main content
piotrmor
piotrmor
New Member
February 17, 2015
Solved

User identity policy for remote VPN branch

  • February 17, 2015
  • 1 reply
  • 10215 views

Dear all,

 

I have problem with user identity policy for remote vpn branch users.

At branch Fortigate (30D, version 5.0) I have default route pointing to vpn tunnel.

My HQ Fortigate is 80C v5.0,build0292 (GA Patch 9). All important policies are implemented on HQ firewall.

After HQ firewall upgrade to 5.0 identity policy for VPN subnet started to submit url containing public (WAN) IP address of HQ fortigate - something like http://<public IP>:1000/fgtauth?cgi

I think that this is because routing to branch subnet is going by WAN interface, and HQ fortigate considers WAN address as closest to the user.

Can You help me?

 

Best regards,

 

Piotr M.

 

    Best answer by xsilver_FTNT

    FGT is using closest interface IP to issue auth request. And from description it does seems to me that your VPN interface is unnumbered. So easiest way is to use private IP range and number the tunnel interfaces with some IP/network. This way the requests should come back to tunnel with FGT tunnel interface IP as source.

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNTAnswer
    Staff
    February 17, 2015

    FGT is using closest interface IP to issue auth request. And from description it does seems to me that your VPN interface is unnumbered. So easiest way is to use private IP range and number the tunnel interfaces with some IP/network. This way the requests should come back to tunnel with FGT tunnel interface IP as source.

    rwpatterson
    rwpatterson
    New Member
    February 17, 2015

    The tunnels should be in interface mode, not policy mode. (I know they should be there already, but never assume...)

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    February 18, 2015

    @piotrmor  yes, it should be enough.

     

    @rwpetterson  I do like interface mode over policy mode. I love idea to use tunnel IKE (phase1) as interface and act accordingly towards the tunnel. Really helpful for routing and policy clarity, also for routing through for SSO, auth, BGP and OSPF stuff and lot more .. Interface mode IPSec is just my personal preference.

    Terms & ConditionsAccessibility statement