Skip to main content
andrewd73
andrewd73
New Member
April 13, 2023
Question

VPN

  • April 13, 2023
  • 4 replies
  • 2642 views

Hi, I have a problem. I have configured a Fortigate with an IPsec tunnel to a Cisco firewall and everything is working. Now my requirement is as follows: connect via SSL VPN through Forticlient VPN to Fortigate and browse both the LAN connected to Fortigate (192.168.1.0/24) and the remote VPN connected to Cisco (192.168.44.0/24). I am able to connect correctly through the VPN client to Fortigate and browse the 192.168.1.0/24 LAN, but I cannot access the Cisco LAN (192.168.44.0/24) on the IPsec tunnel. What firewall policies should I set on the Fortigate?

4 replies

AEK
SuperUser
AEK
SuperUser
April 13, 2023

Hello

Allow this:

   - source : SSL-VPN

   - Destination: IPsec / 192.168.44.0/24

Configure your SSL-VPN to push route 192.168.44.0/24 to your VPN client

 

AEK
Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 13, 2023

Before that we need to know if the SSL VPN is "split-tunnel" or no split-tunnel. If split-tunnel, yes, you need to have Cisco LAN subnet in the split network list.

But basically you need to take case of three things in addition to the split-tunnel:
1) phase2 network selector(s) on the IPsec to allow traffic between SSL VPN client IPs and the Cisco LAN subnet unless you use the default 0/0<->0/0 phase2.

2) routing for both toward the Cisco LAN and back from the Cisco toward the SSL VPN client IPs.
3) at least one policy ssl.root->IPsec interface, and IPsec->ssl.root in case the Cisco LAN side needs to reach out those SSL VPN clients.

 

Toshi

rtichkule
Staff
rtichkule
Staff
April 14, 2023

Hello Andrew,

 

You need to add both SSL VPN IP address pool and LAN subnet (192.168.1.0/24) of FortiGate in the firewall policy as source  and destination as remote subnet (192.168.44.0/24)

 

You can refer below document for the configuration of SSL VPN with the IPSEC VPN.

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/45836/ssl-vpn-to-ipsec-vpn

 

BR

andrewd73
andrewd73Author
New Member
April 14, 2023

i have modified the configuration like this but not ping 192.168.44.0/24Schermata 2023-04-14 alle 18.15.17.pngSchermata 2023-04-14 alle 18.17.51.png

Christian_89
Christian_89
Contributor III
April 15, 2023

hello

Is the forticlient network present in the IPSEC tunnel?

If yes, have you created routing object for the Cisco network in the config for SSLVPN?

If yes, have you created a FW policy to allow Forticlient traffic to communicate to the Cisio network?

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
April 14, 2023

Show us the result of "route print" for windows or "route -nr" for Mac while the client is connected.
Also show us "tracert 192.168.44.X"(win) or "traceroute 192.168.44.X"(Mac) (X needs to be replaced with a real IP).

 

Toshi

Terms & ConditionsAccessibility statement