This article describes how we can U-turn the traffic from the remote SSL-VPN client to IPSec Site-to-Site tunnel.
FortiGate all versions.
Users may face issues while accessing remote subnets across IPsec tunnels from its local SSLVPN users as source as shown in the below topology.
The requirement is to send the traffic from SSL users to the remote subnet across the IPsec tunnel and vice-versa. It can be achieved through the below configurations
Configurations
If the split tunnel is enabled in SSL VPN, make sure the remote subnet is included in the remote subnet. If it is a full tunnel then no change is required in SSL-VPN portal settings.
Ensure the traffic is allowed in the traffic selectors in Phase 2 configuration of Site to Site tunnel.
The highlighted is the assigned IP range for SSL VPN
Ensure the Ipv4 policy is in place for U-turn of traffic. The traffic should be allowed between ssl.root interface and Site to Site tunnel interface.
Ensure NAT is disabled and Route for the remote subnet is present.
***On the peer side ensure the route for the SSL-VPN subnet is configured.
Now the traffic will be able to U-turn the SSL traffic to IPsec tunnel.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.