Description
Scope
Solution
This article explains how to allow traffic initiated by a SSL VPN user to a remote network via IPsec.
Scope
All FortiGates.
Solution
For SSL VPN users to be able to access the internal LAN on FGT1 these policies are mandatory :
5.0.x
5.2.x
"SSLVPN_TUNNEL" = 192.168.8.0/24
The Ipsec1 and 2 are Route-based IPsec tunnels because for this scenario the Route-based creates a virtual interface which can be selected in the policies and added to the static routes.
On FGT1
- Existing policies for IPsec to access internal networks:
- Static route pointing to the remote lan 10.10.1.0/24:
To check if the routes are learnt:
For SSL VPN users to access remote LAN through IPsec these policies are needed:
1. For web mode:
2. For tunnel mode:
In 5.2 users/group of users must be selected in this policy.
On FGT2
- Existing policies for IPsec to access internal networks with adjustments for SSL VPN access:
- Static routes:
Best practices
1. If more than one portal is configured with tunnel access, each portal must have unique IP range for clients (it should not overlap with internal or remote network subnets). All these IP pools must be selected in SSL settings.
5.2.x
5.0.x
2. basic troubleshooting:
Testing ping from SSL VPN client to a remote host with sniffer:
(converted into pcap file in wireshark)
Ctrl+C to stop the sniffer
where the host is either the IP of the SSL VPN client or the host on the remote network.
Testing with debug flow:
proto 1 = ICMP
proto 6 = TCP
proto 17 = UDP
5.0.x
config firewall policy
edit 0
set srcintf "wan1"
set dstintf "port1"
set srcaddr "all"
set dstaddr "local_192.168.1.0/24"
set action ssl-vpn
set identity-based enable
config identity-based-policy
edit 1
set schedule "always"
set groups "Guest-group"
set service "ALL"
set sslvpn-portal "full-access"
next
end
next
edit 0
set srcintf "ssl.root"
set dstintf "port1"
set srcaddr "SSLVPN_TUNNEL"
set dstaddr "local_192.168.1.0/24"
set action accept
set schedule "always"
set service "ALL"
next
5.2.x
edit 0
set srcintf "ssl.root"
set dstintf "port1"
set srcaddr "SSLVPN_TUNNEL"
set dstaddr "local_192.168.1.0/24"
set action accept
set schedule "always"
set groups "Guest-group"
set service "ALL"
next
"SSLVPN_TUNNEL" = 192.168.8.0/24
The Ipsec1 and 2 are Route-based IPsec tunnels because for this scenario the Route-based creates a virtual interface which can be selected in the policies and added to the static routes.
On FGT1
- Existing policies for IPsec to access internal networks:
config firewall policy
edit 0
set srcintf "Ipsec1"
set dstintf "port1"
set srcaddr "remote_10.10.1.0/24"
set dstaddr "local_192.168.1.0/24"
set action accept
set schedule "always"
set service "ALL"
edit 0
set srcintf "port1"
set dstintf "Ipsec1"
set srcaddr "local_192.168.1.0/24"
set dstaddr "remote_10.10.1.0/24"
set action accept
set schedule "always"
set service "ALL"
- Static route pointing to the remote lan 10.10.1.0/24:
config router static
edit 0
set device Ipsec1
set dst 10.10.1.0 255.255.255.0
next
end
To check if the routes are learnt:
# get router info routing-table database
For SSL VPN users to access remote LAN through IPsec these policies are needed:
1. For web mode:
config firewall policy
edit 0
set srcintf "wan1"
set dstintf "Ipsec1"
set srcaddr "all"
set dstaddr "remote_10.10.1.0/24"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
2. For tunnel mode:
edit 0
set srcintf "ssl.root"
set dstintf "Ipsec1"
set srcaddr "SSLVPN_TUNNEL"
set dstaddr "remote_10.10.1.0/24"
set action accept
set schedule "always"
set service "ALL"
In 5.2 users/group of users must be selected in this policy.
On FGT2
- Existing policies for IPsec to access internal networks with adjustments for SSL VPN access:
config firewall policy
edit 0
set srcintf "Ipsec2"
set dstintf "port2"
set srcaddr "remote_192.168.1.0/24" "SSLVPN_TUNNEL"
set dstaddr "local_10.10.1.0/24"
set action accept
set schedule "always"
set service "ALL"
edit 0
set srcintf "port2"
set dstintf "Ipsec2"
set srcaddr "local_10.10.1.0/24"
set dstaddr "remote_192.168.1.0/24" "SSLVPN_TUNNEL"
set action accept
set schedule "always"
set service "ALL"
- Static routes:
config router static
edit 0
set dst 192.168.1.0 255.255.255.0
set device "Ipsec2"
next
edit 0
set dst 192.168.8.0 255.255.255.0
set device "Ipsec2"
next
end
Best practices
1. If more than one portal is configured with tunnel access, each portal must have unique IP range for clients (it should not overlap with internal or remote network subnets). All these IP pools must be selected in SSL settings.
5.2.x
5.0.x
2. basic troubleshooting:
Testing ping from SSL VPN client to a remote host with sniffer:
# diagnose sniffer packet any "host x.x.x.x and icmp" 4 0 aor
# diagnose sniffer packet any "host x.x.x.x and icmp" 6 0 a
(converted into pcap file in wireshark)
Ctrl+C to stop the sniffer
where the host is either the IP of the SSL VPN client or the host on the remote network.
Testing with debug flow:
proto 1 = ICMP
proto 6 = TCP
proto 17 = UDP
# diag debug reset
# diag debug flow filter clear
# diag debug flow filter addr x.x.x.x
# diag debug flow filter proto 1
# diag debug flow show console enable
# diag debug flow show function-name enable
# diag debug console timestamp enable
# diag debug enable
# diag debug flow trace start 1000
(now start pinging)
# diag deb flow trace stop
# diag deb disable
# diag deb reset
