Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Somashekara_Hanumant
Staff & Editor
Staff & Editor

Created on ‎02-03-2020 05:51 AM Edited on ‎04-29-2025 11:04 PM By Community Manager

Article Id 194276

Technical Tip: Accessing IPSec remote resources via SSL VPN webmode

Description


This article explains how to access the IPSec remote resources via the SSL VPN web portal.

Network topology:
SSL VPN Webmode <-> FotiGate1<- IPSec Tunnel -> FortiGate2<-> Internal LAN.

 

Scope

 

FortiGate.

Solution
Configure IPSec Site-to-Site VPN on FortiGate1.



 
 

Configure IPSec Site-to-Site VPN on FortiGate1.

 

 
 
Configuring SSLVPN webportal.
 
 
 
Configure a local user under User&Devices. In this example, 'ssl-user' is configured.

Configuring SSLVPN settings.
 
 
 
Firewall policy configuration.
 
 
IPSec VPN configuration on FortiGate2.
 
 
IP address configuration on the IPSec interface.
 
 
After adding the phase 2 selector with sslvpn address as a remote address we need to add a static route on FGT 2.  The destination will be the remote subnet and the interface will the IPSEC tunnel which was created before.
 
Capture.PNG

 

The SSL VPN subnet also needs to be part of the IPsec phase 2 selector as well as your SSLVPN to IPsec policies. Firewall policy configuration from IPsec tunnel to LAN in FGT2.
 
In the source add the SSLVPN subnet along with remote subnet given:
 
sshhy.PNG

 

 
'ssl-user' now will log to sslvpn web portal and try to access 'https' book which is pointing to http://10.40.9.78 (web server)

From the below debug logs the packet flow can be processed:
 
diagnose debug reset
diagnose debug disable
diagnose debug flow filter addr 10.40.9.78
diagose debug flow filter dport 80
diagonse debug flow trace start 400
diagnose debug enable
 
The source address as 20.20.20.20 which is ipsec vpn interface, if the interface IP address IPSec is not configured it will take the management interface IP address, if that IP range is not added in phase2 quick mode selectors we will get the error message 'No matching IPsec selector, drop'.
 
id=20085 trace_id=897 func=print_pkt_detail line=5430 msg="vd-root:0 received a packet(proto=6, 20.20.20.20:19759->10.40.9.78:80) from local. flag [S], seq 1114552580, ack 0, win 65535"
id=20085 trace_id=897 func=init_ip_session_common line=5595 msg="allocate a new session-000f4075"
id=20085 trace_id=897 func=ipsecdev_hard_start_xmit line=759 msg="enter IPsec interface-ipsec"
id=20085 trace_id=897 func=esp_output4 line=904 msg="IPsec encrypt/auth"
id=20085 trace_id=897 func=ipsec_output_finish line=622 msg="send to 10.5.22.168 via intf-port1"

To disable debugs:

diagnose debug disable
diagnose debug reset
 
Note: 
Starting from v7.6.0, agentless SSL VPN (SSL VPN web mode support) has been discontinued for FortiGate models with  2GB of RAM.

 

Labels:
4929
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.