Description

This article explains how to allow traffic initiated by a SSL VPN user to a remote network via IPsec.

Scope

Solution

• Existing policies for IPsec to access internal networks:

config firewall policy
edit 0
       set srcintf "Ipsec1"
        set dstintf "port1"
        set srcaddr "remote_10.10.1.0/24"
        set dstaddr "local_192.168.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"

edit 0
        set srcintf "port1"
        set dstintf "Ipsec1"
        set srcaddr "local_192.168.1.0/24"
        set dstaddr "remote_10.10.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
 - Static route pointing to the remote lan 10.10.1.0/24:
config router static
edit 0
       set device Ipsec1
       set dst 10.10.1.0 255.255.255.0
next
end

To check if the routes are learnt:

get router info routing-table database

For SSL VPN users to access remote LAN through IPsec these policies are needed:

For web mode:

config firewall policy
edit 0
        set srcintf "wan1"
        set dstintf "Ipsec1"
        set srcaddr "all"
        set dstaddr "remote_10.10.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
next

For tunnel mode:

edit 0
        set srcintf "ssl.root"
        set dstintf "Ipsec1"
        set srcaddr "SSLVPN_TUNNEL"
        set dstaddr "remote_10.10.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"

In v5.2 users/group of users must be selected in this policy.

On FGT2:

• Existing policies for IPsec to access internal networks with adjustments for SSL VPN access:

config firewall policyedit 0
        set srcintf "Ipsec2"
        set dstintf "port2"
        set srcaddr "remote_192.168.1.0/24" "SSLVPN_TUNNEL"
        set dstaddr "local_10.10.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"

edit 0
        set srcintf "port2"
        set dstintf "Ipsec2"
        set srcaddr "local_10.10.1.0/24"
        set dstaddr "remote_192.168.1.0/24" "SSLVPN_TUNNEL"
        set action accept
        set schedule "always"
        set service "ALL"

Static routes:

config router static
edit 0
        set dst 192.168.1.0 255.255.255.0
        set device "Ipsec2"
next
edit 0
        set dst 192.168.8.0 255.255.255.0
        set device "Ipsec2"
next
end

Best practices:
If more than one portal is configured with tunnel access, each portal must have unique IP range for clients (it should not overlap with internal or remote network subnets). All these IP pools must be selected in SSL settings.

For v5.2.x:

 

For v5.0.x:

 Basic troubleshooting:

• Testing ping from SSL VPN client to a remote host with sniffer:

diagnose sniffer packet any "host x.x.x.x and icmp" 4 0 aor
diagnose sniffer packet any "host x.x.x.x and icmp" 6 0 a

(converted into pcap file in wireshark)

Ctrl+C to stop the sniffer, where the host is either the IP of the SSL VPN client or the host on the remote network.

Testing with debug flow:

proto 1 = ICMP
proto 6 = TCP
proto 17 = UDP

# diag debug reset
# diag debug flow filter clear
# diag debug flow filter addr x.x.x.x
# diag debug flow filter proto 1
# diag debug flow show function-name enable
# diag debug console timestamp enable
# diag debug enable
# diag debug flow trace start 1000

(now start pinging)

# diag deb flow trace stop
# diag deb disable
# diag deb reset