Description

This article describes how we can U-turn the traffic from the remote SSL-VPN client to IPSec Site-to-Site tunnel.

Scope

FortiGate all versions.

Solution

Users may face issues while accessing remote subnets across IPsec tunnels from its local SSLVPN users as source as shown in the below topology. 

The requirement is to send the traffic from SSL users to the remote subnet across the IPsec tunnel and vice-versa. It can be achieved through the below configurations

Configurations

If the split tunnel is enabled in SSL VPN, make sure the remote subnet is included in the remote subnet. If it is a full tunnel then no change is required in SSL-VPN portal settings.

Ensure the traffic is allowed in the traffic selectors in Phase 2 configuration of Site to Site tunnel.

The highlighted is the assigned IP range for SSL VPN.

Note:

There will also be a need to configure a phase-2 selector in the remote peer with the local address being 192.168.1.0/24 and the remote address will be the SSL VPN IP range/subnet: 10.212.134.192/28. Not configuring this will fail to establish the connection between the two subnets.

Ensure the Ipv4 policy is in place for U-turn of traffic. The traffic should be allowed between ssl.root interface and Site to Site tunnel interface.

Ensure NAT is disabled and the Route for the remote subnet is present. On the peer side ensure the route for the SSL-VPN subnet is configured.

The traffic will be able to U-turn the SSL traffic to the IPsec tunnel.