Technical Tip: How to access remote resource over ... - Fortinet Community

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 192179

Description

This article describes how to allow SSL VPN users to access remote resources over an existing site-to-site IPsec VPN tunnel.

Scope

FortiGate.

Solution

Network Topology:

SSL VPN user connects to FortiGate A and needs access to resources behind FortiGate B.

For SSL VPN configuration refer to the SSL VPN user guide: SSL VPN quick start.
For Site-to-site IPsec VPN, refer to the IPsec VPN user guide: Site-to-site VPN.

FortiGate A Configuration:
Existing SSL VPN configuration:

SSL VPN users IP pool: 10.100.100.1 - 10.100.100.14.
If the split tunnel is enabled, make sure that the LAN B subnet (192.168.1.0/24) is in the access list.
In this example, SSL VPN users want to access an internal DNS server on the remote side of the IPSec tunnel for internal DNS resolution. DNS server IP can be added by CLI or by GUI as shown below:
In the CLI:

config vpn ssl settings

set dns-server1 192.168.1.x <- Address of remote DNS Server.

end

In the GUI:

Existing IPsec VPN configuration:

Virtual IPSec interface name: ipsec-vpn.
Add SSL VPN IP range to phase 2 selectors.

Local : 10.1000.100.0/28

Remote : 192.168.1.0/24

Make sure there is a firewall policy to allow traffic from SSL VPN to the IPsec tunnel.

Note: Ensure SNAT is not set to 'Use Outgoing Interface Address'.

Source Interface: ssl.root <--------- SSL VPN interface.

Source Address: SSL_VPN_address <--------- SSL VPN client IP pool (10.100.100.0/28).

Destination Interface: ipsec-vpn <--------- VPN interface.

Destination Address: FGT_B_Subnet <--------- 192.168.1.0/24.

(FortiGate B internal network 192.168.1.0/24)

Action: Accept

FortiGate B Configuration:

Existing IPsec VPN configuration:

Virtual IPSec interface name: FortigateB-vpn.
Add phase 2 traffic selector.

Local : 192.168.1.0/24
Remote : 10.100.100.0/28

• Make sure there is a firewall policy to allow traffic from the IPsec tunnel to the LAN.

Note: Ensure SNAT is not set to 'Use Outgoing Interface Address'.

Source Interface: FortigateB-vpn <--------- SSL VPN interface.

Source Address: Remote-Subnet <--------- SSL VPN client IP pool (10.100.100.0/28).

Destination Interface: Port4(LAN) <--------- LAN interface.

Destination Address: LAN_Subnet <--------- 192.168.1.0/24.

(FortiGate B internal network 192.168.1.0/24)

Action: Accept

• Make sure there is a static route to 10.100.100.0/28 via FortigateB-vpn.

Related articles:

Technical Tip: Accessing IPSec remote resources via SSL VPN webmode

Technical Tip: Forward traffic originating from SSL VPN into IPsec tunnel

Technical Note : U-turn traffic from SSL VPN to IPsec Site-to-Site tunnel

5851

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Copyright 2025 Fortinet, Inc. All Rights Reserved.