FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sripudaman
Staff
Staff
Article Id 206678
Description

This article describes how we can U-turn the traffic from the remote SSL-VPN client to IPSec Site-to-Site tunnel.

 

Scope

FortiGate all versions.

 

Solution

Users may face issues while accessing remote subnets across IPsec tunnels from its local SSLVPN users as source as shown in the below topology. 

 

Capture6.PNG

The requirement is to send the traffic from SSL users to the remote subnet across the IPsec tunnel and vice-versa. It can be achieved through the below configurations

 

Configurations

If the split tunnel is enabled in SSL VPN, make sure the remote subnet is included in the remote subnet. If it is a full tunnel then no change is required in SSL-VPN portal settings.

 

Capture3.PNG

Ensure the traffic is allowed in the traffic selectors in Phase 2 configuration of Site to Site tunnel.

 

Capture4.PNG

 

The highlighted is the assigned IP range for SSL VPN

Ensure the Ipv4 policy is in place for U-turn of traffic. The traffic should be allowed between ssl.root interface and Site to Site tunnel interface.

 

Capture5.PNG

 

Ensure NAT is disabled and Route for the remote subnet is present.

***On the peer side ensure the route for the SSL-VPN subnet is configured.

 

Now the traffic will be able to U-turn the SSL traffic to IPsec tunnel.

Contributors