Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
preetisingh
Staff
Staff

Created on ‎02-27-2017 03:46 AM Edited on ‎01-02-2025 07:50 AM By Moderator

Article Id 192179

Technical Tip: How to access remote resource over site to site IPsec tunnel for SSL VPN user

Description

 

This article describes how to allow SSL VPN users to access remote resources over an existing site-to-site IPsec VPN tunnel.
 
Scope
 
FortiGate.


Solution

 

Network Topology:
 
topology2.PNG

 

SSL VPN user connects to FortiGate A and needs access to resources behind FortiGate B.

 


FortiGate A Configuration:
Existing SSL VPN configuration:
 
  • SSL VPN users IP pool: 10.100.100.1 - 10.100.100.14.
  • If the split tunnel is enabled, make sure that the LAN B subnet (192.168.1.0/24) is in the access list.
  • In this example, SSL VPN users want to access an internal DNS server on the remote side of the IPSec tunnel for internal DNS resolution. DNS server IP can be added by CLI or by GUI as shown below:

  • In the CLI:

 

config vpn ssl settings 

    set dns-server1 192.168.1.x <- Address of remote DNS Server.

       end   

 

  • In the GUI:

 

kb.png
 
Existing IPsec VPN configuration:
  • Virtual IPSec interface name: ipsec-vpn.
  • Add SSL VPN IP range to phase 2 selectors.

Local : 10.1000.100.0/28

Remote : 192.168.1.0/24

phase2.PNG

 

  • Make sure there is a firewall policy to allow traffic from SSL VPN to the IPsec tunnel.

Note: Ensure SNAT is not set to 'Use Outgoing Interface Address'.

 

Source Interface: ssl.root           <---------  SSL VPN interface.
Source Address: SSL_VPN_address      <---------  SSL VPN client IP pool (10.100.100.0/28).
Destination Interface: ipsec-vpn     <---------  VPN interface.
Destination Address: FGT_B_Subnet    <--------- 192.168.1.0/24.

(FortiGate B internal network 192.168.1.0/24)

Action: Accept

 

policy0.PNG

 

FortiGate B Configuration:

Existing IPsec VPN configuration: 
  • Virtual IPSec interface name: FortigateB-vpn.
  • Add phase 2 traffic selector.

 

Local : 192.168.1.0/24
Remote : 10.100.100.0/28

 

phase2.PNG

 

• Make sure there is a firewall policy to allow traffic from the IPsec tunnel to the LAN.

  Note: Ensure SNAT is not set to 'Use Outgoing Interface Address'.

 

Source Interface:  FortigateB-vpn    <---------  SSL VPN interface.
Source Address: Remote-Subnet        <---------  SSL VPN client IP pool (10.100.100.0/28).
Destination Interface: Port4(LAN)    <---------  LAN interface.
Destination Address: LAN_Subnet      <---------  192.168.1.0/24.
(FortiGate B internal network 192.168.1.0/24)
Action: Accept
 
policy3.PNG

 

 • Make sure there is a static route to 10.100.100.0/28 via FortigateB-vpn.

 

route.PNG

 

Related articles:
6119
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.