Description
This article describes how to pass the SSL VPN traffic to the IPsec site-to-site tunnel.
The SSL VPN users are connected to Site A (800D) and from site A. It will be necessary to forward the traffic to site B so that SSL VPN clients 10.212.134.200-10.212.134.210 can access the resources to Site B.
Scope
FortiGate.
Solution
Make sure the route-based/interface-based IPsec tunnel between site A and site B is set up, as well as the SSL VPN configuration made on site A.
The following needs to be checked:
- Phase-2 selector needs to have also the SSL VPN client's IP.
- A policy must be established between the SSL VPN interface to the site-to-site tunnel in Site A, with users added.
- Side B (FG-61E) needs to have a static route where the destination will be 10.212.134.0/24 and the interface will be the IPsec tunnel.
- When the dial-up split tunnel is enabled, it needs to have the routing address. In this case, it needs to have 10.158.0.0/20 and 10.157.0.0/20.
Site A:
# FortiGate-800D # sh | grep -f "to 61e"
config system interface
edit "to 61e"
set vdom "root"
set type tunnel
set snmp-index 39
set interface "wan1"
next
end
# config firewall address
edit "to 61e_local_subnet_1"
set uuid b9b283b8-d532-51e9-314c-c7661e2c9e36
set allow-routing enable
set subnet 10.158.0.0 255.255.240.0
next
edit "to 61e_remote_subnet_1"
set uuid b9b8b8b4-d532-51e9-bc8f-32df7e22ba30
set allow-routing enable
set subnet 10.157.0.0 255.255.240.0
next
end
# config firewall addrgrp
edit "to 61e_local" <---
set uuid b9b51bc8-d532-51e9-cc5f-b9faf7dfaa43
set member "to 61e_local_subnet_1"
set comment "VPN: to 61e (Created by VPN wizard)"
set allow-routing enable
next
edit "to 61e_remote"
set uuid b9c18b38-d532-51e9-79c9-6ba78adbb2e8
set member "to 61e_remote_subnet_1"
set comment "VPN: to 61e (Created by VPN wizard)"
set allow-routing enable
next
end
# config vpn ipsec phase1-interface
edit "to 61e"
set interface "wan1"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: to 61e (Created by VPN wizard)"
set remote-gw 10.109.16.100
set psksecret ENC OL2UlZGJ3r+V6uzD+/oh7VsshWLkkLlAKiXJR6oPp+INReHeqQG36A L0Xorpmp9fRPKLJtKQeqV2Kj3v5lUxnUFggWscD89OeUrATO5MelOGJ2nqUjZn7MioIeSIDlqEJqAqF6 ODLbCQFj1T8gMbGkq7W+aFH48xPURNNEC0/CBinu/CVgHn0yHHjo4mc1t/Y55nUA==
next
end
# config vpn ipsec phase2-interface
edit "to 61e"
set phase1name "to 61e"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "VPN: to 61e (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "to 61e_local"
set dst-name "to 61e_remote"
next
edit "sslvpn"
set phase1name "to 61e"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set src-addr-type range
set src-start-ip 10.212.134.200
set src-end-ip 10.212.134.210
set dst-subnet 10.157.0.0 255.255.240.0
next
end
end
# config firewall policy
edit 1
set name "vpn_to 61e_local"
set uuid b9e67c7c-d532-51e9-02dd-fccb10afea99
set srcintf "port3"
set dstintf "to 61e"
set srcaddr "to 61e_local"
set dstaddr "to 61e_remote"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: to 61e (Created by VPN wizard)"
next
edit 2
set name "vpn_to 61e_remote"
set uuid b9f49762-d532-51e9-2f3a-7edff7398b2a
set srcintf "to 61e"
set dstintf "port3"
set srcaddr "to 61e_remote"
set dstaddr "to 61e_local"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: to 61e (Created by VPN wizard)"
next
Site A sslvpn:
# config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "vpn-user"
set portal "full-access"
next
end
end
# FortiGate-800D (full-access) # sh
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set web-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling-routing-address "split-address-group"
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
config bookmark-group
edit "gui-bookmarks"
next
end
next
end
# FortiGate-800D # sh | grep -f ssl.root
config system interface
edit "ssl.root" <---
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 38
next
end
# config firewall address
edit "SSLVPN_TUNNEL_ADDR1"
set uuid b081e972-d39e-51e9-df60-16150c54a450
set type iprange
set associated-interface "ssl.root" <---
set start-ip 10.212.134.200
set end-ip 10.212.134.210
next
end
# config firewall policy
edit 6
set name "SSLVPN policy for local on site A"
set uuid fc90c842-d637-51e9-98da-e33c9bc37789
set srcintf "ssl.root" <---
set dstintf "port3"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "to 61e_local_subnet_1"
set action accept
set schedule "always"
set service "ALL"
set groups "vpn-user"
set nat enable
next
edit 7
set name "sslvpn to ipsec remote"
set uuid 6e2f0524-e031-51e9-ed98-dda27c498892
set srcintf "ssl.root" <---
set dstintf "to 61e"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "to 61e_remote_subnet_1"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set groups "vpn-user"
next
end
Site B:
# FGT61E-1 (to vm) # end
FGT61E-1 # sh | grep -f "to vm"
config system interface
edit "to vm"
set vdom "root"
set type tunnel
set snmp-index 8
set interface "wan1"
next
end
# config firewall address
edit "to vm_local_subnet_1"
set uuid b434b510-d531-51e9-e64d-81e4f2839f24
set allow-routing enable
set subnet 10.157.0.0 255.255.240.0
next
edit "to vm_remote_subnet_1"
set uuid b43daec2-d531-51e9-a4a8-7f58bce03b09
set allow-routing enable
set subnet 10.158.0.0 255.255.240.0
next
end
# config firewall addrgrp
edit "to vm_local"
set uuid b43935c2-d531-51e9-706f-90bda627c7c1
set member "to vm_local_subnet_1"
set comment "VPN: to vm (Created by VPN wizard)"
set allow-routing enable
next
edit "to vm_remote"
set uuid b4424a4a-d531-51e9-36dc-2355088d05e9
set member "to vm_remote_subnet_1"
set comment "VPN: to vm (Created by VPN wizard)"
set allow-routing enable
next
end
#config vpn ipsec phase1-interface
edit "to vm"
set interface "wan1"
set peertype any
set comments "VPN: to vm (Created by VPN wizard)"
set remote-gw 10.109.16.186
set psksecret ENC BxNnt0fpNJOdcawaFSmD7VnF1ZtF79ORvwnPsKEOgmtM/W283hBISFoqn01q4LSitVLC6d skWA18rg8qJkUw5QcwW4Lwitb5Ppc+E7ysBsbB+ry196wv76copIuI+uFNqN4YwismXrysPD5fV28QTO2je+M+6pxfSPyisq dUkCBTK7ksjmM1Nh3WpWy1Fi7IahxiZg==
next
end
# config vpn ipsec phase2-interface
edit "to vm"
set phase1name "to vm"
set comments "VPN: to vm (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "to vm_local"
set dst-name "to vm_remote"
next
edit "sslvpn"
set phase1name "to vm"
set dst-addr-type range
set src-subnet 10.157.0.0 255.255.240.0
set dst-start-ip 10.212.134.200
set dst-end-ip 10.212.134.210
next
end
edit 2
set name "vpn_to vm_local"
set uuid b45a0b12-d531-51e9-0f24-80fdb07c6e6f
set srcintf "internal1"
set dstintf "to vm"
set srcaddr "to vm_local"
set dstaddr "to vm_remote"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: to vm (Created by VPN wizard)"
next
edit 3
set name "vpn_to vm_remote"
set uuid b46381a6-d531-51e9-7f9e-8d9239bfaaa3
set srcintf "to vm"
set dstintf "internal1"
set srcaddr "to vm_remote" "for clinet dialup" "sslvpn"
set dstaddr "to vm_local"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: to vm (Created by VPN wizard)"
next
end
# config router static
edit 2
set device "to vm"
set comment "VPN: to vm (Created by VPN wizard)"
set dstaddr "to vm_remote"
next
edit 3
set distance 254
set comment "VPN: to vm (Created by VPN wizard)"
set blackhole enable
set dstaddr "to vm_remote"
next
edit 5
set dst 10.212.134.0 255.255.255.0
set device "to vm"
next
end
Results:
FortiGate-800D # diagnose sniffer packet any "icmp" 4 0 a
interfaces=[any]
filters=[icmp]
2019-09-26 08:49:39.503285 ssl.root in 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:39.503304 to 61e out 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:39.503564 to 61e in 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:39.503575 ssl.root out 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:40.503692 ssl.root in 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:40.503696 to 61e out 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:40.503844 to 61e in 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:40.503849 ssl.root out 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:41.504724 ssl.root in 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:41.504729 to 61e out 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:41.504878 to 61e in 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:41.504883 ssl.root out 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:42.513061 ssl.root in 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:42.513064 to 61e out 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:42.513188 to 61e in 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:42.513192 ssl.root out 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:43.512630 ssl.root in 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:43.512633 to 61e out 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:43.512751 to 61e in 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:43.512754 ssl.root out 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:44.513802 ssl.root in 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:44.513805 to 61e out 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:44.513931 to 61e in 10.157.0.100 -> 10.212.134.200: icmp: echo replySUMMARY OF STEPS:
Make sure to have the following configured in order for this to work. The following topology will be used for reference.
User1 ==== SSL-VPN ==== FortiGate1 ==== IPsec VPN ==== FortiGate2 ==== PC or Host User1 is trying to access
Configuration on FortiGate1:
- In SSL VPN, make sure to allow the FortiGate2 subnets intended to be reached, as well as the FortiGate1 internal subnet (if needed) in the routed address in the SSL VPN Portal.
- In IPsec VPN, make sure the SSL VPN client addresses are the source addresses in phase2.
- In Firewall Policy, create an SSL VPN to IPsec VPN policy and vice versa if needed. Make sure the SSL VPN client address range and SSL VPN user group is allowed in the Firewall policies - no NAT (otherwise, it may give no matching ipsec connector error on debug flow).
Configuration on FortiGate2:
- In IPsec VPN, make sure phase2 matches FortiGate1 with the SSL VPN client addresses as the destination.
- Static Route. Create a static route with the SSL VPN client address range subnet.
- Make sure the SSL VPN client address range is allowed in the Firewall policies (internal to VPN as well as VPN to internal, depending on requirements).
