Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mbanica
Staff
Staff

Created on ‎09-01-2015 02:37 AM Edited on ‎12-29-2025 09:22 AM By Community Manager

Article Id 191542

Technical Tip: Allowing SSL VPN users to access remote LAN via IPsec

Description

 

This article explains how to allow traffic initiated by a SSL VPN user to a remote network via IPsec.
mbanica_FD37024_tn_FD37024-1.jpg


Scope

 

FortiGate.


Solution

 

For SSL VPN users to be able to access the internal LAN on FGT1 these policies are mandatory :

For v5:
 
config firewall policy
edit 0
        set srcintf "wan1"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "local_192.168.1.0/24"
        set action ssl-vpn
        set identity-based enable
        config identity-based-policy
                edit 1
                    set schedule "always"
                    set groups "Guest-group"
                    set service "ALL"
                    set sslvpn-portal "full-access"
                next
            end
    next

edit 0
        set srcintf "ssl.root"
        set dstintf "port1"
        set srcaddr "SSLVPN_TUNNEL"
        set dstaddr "local_192.168.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
    next
 
For v 5.2:
 
edit 0
        set srcintf "ssl.root"
        set dstintf "port1"
        set srcaddr "SSLVPN_TUNNEL"
        set dstaddr "local_192.168.1.0/24"
        set action accept
        set schedule "always"
        set groups "Guest-group"
        set service "ALL"
    next
"SSLVPN_TUNNEL" = 192.168.8.0/24

The Ipsec1 and 2 are Route-based IPsec tunnels because for this scenario the Route-based creates a virtual interface, which can be selected in the policies and added to the static routes. If the IPsec phase2 selector is not set to 'all', '"SSLVPN_TUNNEL" = 192.168.8.0/24' must be added on the FGT1 local address and FGT2 remote address.

On FGT1:
  • Existing policies for IPsec to access internal networks:

 

config firewall policy
    edit 0

        set srcintf "Ipsec1"

        set dstintf "port1"
        set srcaddr "remote_10.10.1.0/24"
        set dstaddr "local_192.168.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
    edit 0
        set srcintf "port1"
        set dstintf "Ipsec1"
        set srcaddr "local_192.168.1.0/24"
        set dstaddr "remote_10.10.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"

 

  • Static route pointing to the remote LAN 10.10.1.0/24:


config router static
    edit 0
        set device Ipsec1
        set dst 10.10.1.0 255.255.255.0
    next
end

 

To check if the routes are learned:


get router info routing-table database


For SSL VPN users to access remote LAN through IPsec these policies are needed:

For web mode:


config firewall policy
    edit 0
        set srcintf "wan1"
        set dstintf "Ipsec1"
        set srcaddr "all"
        set dstaddr "remote_10.10.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable

    next


For tunnel mode:


edit 0

    set srcintf "ssl.root"

    set dstintf "Ipsec1"

    set srcaddr "SSLVPN_TUNNEL"

    set dstaddr "remote_10.10.1.0/24"

    set action accept

    set schedule "always"

    set service "ALL"

 

In v5.2 users/group of users must be selected in this policy.

On FGT2:

  • Existing policies for IPsec to access internal networks with adjustments for SSL VPN access:


config firewall policyedit 0

    set srcintf "Ipsec2"

    set dstintf "port2"

    set srcaddr "remote_192.168.1.0/24" "SSLVPN_TUNNEL"

    set dstaddr "local_10.10.1.0/24"

    set action accept

    set schedule "always"

    set service "ALL"

edit 0

    set srcintf "port2"

    set dstintf "Ipsec2"

    set srcaddr "local_10.10.1.0/24"

    set dstaddr "remote_192.168.1.0/24" "SSLVPN_TUNNEL"

    set action accept

    set schedule "always"

    set service "ALL"

 

Static routes:

config router static
    edit 0

        set dst 192.168.1.0 255.255.255.0

        set device "Ipsec2"
    next
    edit 0

       set dst 192.168.8.0 255.255.255.0

       set device "Ipsec2"
    next
end

 

Best practices:
If more than one portal is configured with tunnel access, each portal must have a unique IP-Range for clients (it should not overlap with internal or remote network subnets). All these IP-Pools must be selected in SSL Settings.

For v5.2.x:

 mbanica_FD37024_tn_FD37024-2.jpg


For v5.0.x:

mbanica_FD37024_tn_FD37024-3.jpg


 Basic troubleshooting:

  • Testing ping from SSL VPN client to a remote host with sniffer:


diagnose sniffer packet any "host x.x.x.x and icmp" 4 0 aor
diagnose sniffer packet any "host x.x.x.x and icmp" 6 0 a


(converted into pcap file in wireshark)

Ctrl+C to stop the sniffer, where the host is either the IP of the SSL VPN client or the host on the remote network.

Testing with debug flow:

proto 1 = ICMP
proto 6 = TCP
proto 17 = UDP


diagnose debug reset
diagnose debug flow filter clear
diagnose debug flow filter addr x.x.x.x
diagnose debug flow filter proto 1
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug enable
diagnose debug flow trace start 1000

(now start pinging)

diagnose debug flow trace stop
diagnose debug disable
diagnose debug reset

7378
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.