Description
This article describes how to pass the sslvpn traffic to ipsec site to site tunnel.
The sslvpn users connected to Site A (800D) and from site A, it will be needed to forward the traffic to site B so that sslvpn clients 10.212.134.200-10.212.134.210 can access the resources to Site B.
Scope
FortiGate.
Solution
Make sure the route based/interface based ipsec tunnel between site A and site B is set up, as well as the sslvpn configuration done on site A.
The following needs to be checked:
– Phase-2 selector needs to have also the ssvpn clients IP.
– Needs to have policy between sslvpn interface to site to site tunnel in Site A also users need to be added.
– On the side B (FG-61E) needs to have static route where the destination will be 10.212.134.0/24 and interface will be ipsec tunne.
– When the dialup tunnel split tunnel enable needs to have the routing address in our case it needs to have 10.158.0.0/20 and 10.157.0.0/20
Site A:
# FortiGate-800D # sh | grep -f "to 61e"
config system interface
edit "to 61e"
set vdom "root"
set type tunnel
set snmp-index 39
set interface "wan1"
next
end
# config firewall address
edit "to 61e_local_subnet_1"
set uuid b9b283b8-d532-51e9-314c-c7661e2c9e36
set allow-routing enable
set subnet 10.158.0.0 255.255.240.0
next
edit "to 61e_remote_subnet_1"
set uuid b9b8b8b4-d532-51e9-bc8f-32df7e22ba30
set allow-routing enable
set subnet 10.157.0.0 255.255.240.0
next
end
# config firewall addrgrp
edit "to 61e_local" <---
set uuid b9b51bc8-d532-51e9-cc5f-b9faf7dfaa43
set member "to 61e_local_subnet_1"
set comment "VPN: to 61e (Created by VPN wizard)"
set allow-routing enable
next
edit "to 61e_remote"
set uuid b9c18b38-d532-51e9-79c9-6ba78adbb2e8
set member "to 61e_remote_subnet_1"
set comment "VPN: to 61e (Created by VPN wizard)"
set allow-routing enable
next
end
# config vpn ipsec phase1-interface
edit "to 61e"
set interface "wan1"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: to 61e (Created by VPN wizard)"
set remote-gw 10.109.16.100
set psksecret ENC OL2UlZGJ3r+V6uzD+/oh7VsshWLkkLlAKiXJR6oPp+INReHeqQG36A L0Xorpmp9fRPKLJtKQeqV2Kj3v5lUxnUFggWscD89OeUrATO5MelOGJ2nqUjZn7MioIeSIDlqEJqAqF6 ODLbCQFj1T8gMbGkq7W+aFH48xPURNNEC0/CBinu/CVgHn0yHHjo4mc1t/Y55nUA==
next
end
# config vpn ipsec phase2-interface
edit "to 61e"
set phase1name "to 61e"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "VPN: to 61e (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "to 61e_local"
set dst-name "to 61e_remote"
next
edit "sslvpn"
set phase1name "to 61e"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set src-addr-type range
set src-start-ip 10.212.134.200
set src-end-ip 10.212.134.210
set dst-subnet 10.157.0.0 255.255.240.0
next
end
end
# config firewall policy
edit 1
set name "vpn_to 61e_local"
set uuid b9e67c7c-d532-51e9-02dd-fccb10afea99
set srcintf "port3"
set dstintf "to 61e"
set srcaddr "to 61e_local"
set dstaddr "to 61e_remote"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: to 61e (Created by VPN wizard)"
next
edit 2
set name "vpn_to 61e_remote"
set uuid b9f49762-d532-51e9-2f3a-7edff7398b2a
set srcintf "to 61e"
set dstintf "port3"
set srcaddr "to 61e_remote"
set dstaddr "to 61e_local"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: to 61e (Created by VPN wizard)"
next
Site A sslvpn:
# config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "wan1"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "vpn-user"
set portal "full-access"
next
end
end
# FortiGate-800D (full-access) # sh
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set web-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling-routing-address "split-address-group"
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
config bookmark-group
edit "gui-bookmarks"
next
end
next
end
# FortiGate-800D # sh | grep -f ssl.root
config system interface
edit "ssl.root" <---
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 38
next
end
# config firewall address
edit "SSLVPN_TUNNEL_ADDR1"
set uuid b081e972-d39e-51e9-df60-16150c54a450
set type iprange
set associated-interface "ssl.root" <---
set start-ip 10.212.134.200
set end-ip 10.212.134.210
next
end
# config firewall policy
edit 6
set name "SSLVPN policy for local on site A"
set uuid fc90c842-d637-51e9-98da-e33c9bc37789
set srcintf "ssl.root" <---
set dstintf "port3"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "to 61e_local_subnet_1"
set action accept
set schedule "always"
set service "ALL"
set groups "vpn-user"
set nat enable
next
edit 7
set name "sslvpn to ipsec remote"
set uuid 6e2f0524-e031-51e9-ed98-dda27c498892
set srcintf "ssl.root" <---
set dstintf "to 61e"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "to 61e_remote_subnet_1"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set groups "vpn-user"
next
end
Site B:
# FGT61E-1 (to vm) # endResults:
FGT61E-1 # sh | grep -f "to vm"
config system interface
edit "to vm"
set vdom "root"
set type tunnel
set snmp-index 8
set interface "wan1"
next
end
# config firewall address
edit "to vm_local_subnet_1"
set uuid b434b510-d531-51e9-e64d-81e4f2839f24
set allow-routing enable
set subnet 10.157.0.0 255.255.240.0
next
edit "to vm_remote_subnet_1"
set uuid b43daec2-d531-51e9-a4a8-7f58bce03b09
set allow-routing enable
set subnet 10.158.0.0 255.255.240.0
next
end
# config firewall addrgrp
edit "to vm_local"
set uuid b43935c2-d531-51e9-706f-90bda627c7c1
set member "to vm_local_subnet_1"
set comment "VPN: to vm (Created by VPN wizard)"
set allow-routing enable
next
edit "to vm_remote"
set uuid b4424a4a-d531-51e9-36dc-2355088d05e9
set member "to vm_remote_subnet_1"
set comment "VPN: to vm (Created by VPN wizard)"
set allow-routing enable
next
end
#config vpn ipsec phase1-interface
edit "to vm"
set interface "wan1"
set peertype any
set comments "VPN: to vm (Created by VPN wizard)"
set remote-gw 10.109.16.186
set psksecret ENC BxNnt0fpNJOdcawaFSmD7VnF1ZtF79ORvwnPsKEOgmtM/W283hBISFoqn01q4LSitVLC6d skWA18rg8qJkUw5QcwW4Lwitb5Ppc+E7ysBsbB+ry196wv76copIuI+uFNqN4YwismXrysPD5fV28QTO2je+M+6pxfSPyisq dUkCBTK7ksjmM1Nh3WpWy1Fi7IahxiZg==
next
end
# config vpn ipsec phase2-interface
edit "to vm"
set phase1name "to vm"
set comments "VPN: to vm (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "to vm_local"
set dst-name "to vm_remote"
next
edit "sslvpn"
set phase1name "to vm"
set dst-addr-type range
set src-subnet 10.157.0.0 255.255.240.0
set dst-start-ip 10.212.134.200
set dst-end-ip 10.212.134.210
next
end
edit 2
set name "vpn_to vm_local"
set uuid b45a0b12-d531-51e9-0f24-80fdb07c6e6f
set srcintf "internal1"
set dstintf "to vm"
set srcaddr "to vm_local"
set dstaddr "to vm_remote"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: to vm (Created by VPN wizard)"
next
edit 3
set name "vpn_to vm_remote"
set uuid b46381a6-d531-51e9-7f9e-8d9239bfaaa3
set srcintf "to vm"
set dstintf "internal1"
set srcaddr "to vm_remote" "for clinet dialup" "sslvpn"
set dstaddr "to vm_local"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: to vm (Created by VPN wizard)"
next
end
# config router static
edit 2
set device "to vm"
set comment "VPN: to vm (Created by VPN wizard)"
set dstaddr "to vm_remote"
next
edit 3
set distance 254
set comment "VPN: to vm (Created by VPN wizard)"
set blackhole enable
set dstaddr "to vm_remote"
next
edit 5
set dst 10.212.134.0 255.255.255.0
set device "to vm"
next
end
FortiGate-800D # diagnose sniffer packet any "icmp" 4 0 a
interfaces=[any]
filters=[icmp]
2019-09-26 08:49:39.503285 ssl.root in 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:39.503304 to 61e out 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:39.503564 to 61e in 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:39.503575 ssl.root out 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:40.503692 ssl.root in 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:40.503696 to 61e out 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:40.503844 to 61e in 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:40.503849 ssl.root out 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:41.504724 ssl.root in 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:41.504729 to 61e out 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:41.504878 to 61e in 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:41.504883 ssl.root out 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:42.513061 ssl.root in 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:42.513064 to 61e out 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:42.513188 to 61e in 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:42.513192 ssl.root out 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:43.512630 ssl.root in 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:43.512633 to 61e out 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:43.512751 to 61e in 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:43.512754 ssl.root out 10.157.0.100 -> 10.212.134.200: icmp: echo reply
2019-09-26 08:49:44.513802 ssl.root in 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:44.513805 to 61e out 10.212.134.200 -> 10.157.0.100: icmp: echo request
2019-09-26 08:49:44.513931 to 61e in 10.157.0.100 -> 10.212.134.200: icmp: echo replySUMMARY OF STEPS:Please make sure you have below configured in order for this to work. we will take below topology for reference.
User1 ==== SSL-VPN ==== FortiGate1 ==== IPsec VPN ==== FortiGate2 ==== PC or Host User1 is trying to access
Configuration on FortiGate1
1.--- In SSL VPN, Make sure you are allowing FortiGate2 subnets in routed address in the SSL VPN Portal.
2. --- In IPsec VPN, Make sure you have SSL VPN client addresses as source addresses in phase2.
3. --- In Firewall Policy, create SSL VPN to IPsec VPN policy and vice versa if needed, Make sure SSL VPN client address range is allowed in the Firewall policies - no NAT (otherwise it may give no matching ipsec connector error on debug flow)
Configuration on FortiGate2
4. --- In IPsec VPN, Make sure you have phase2 matching FortiGate1 with SSL VPN client addresses as destination.
5. --- Static Route, Create a static routes with SSL VPN client address range subnet.
6. --- Make sure SSL VPN client address range is allowed in the Firewall policies. (internal to vpn as well as vpn to internal - depending on requirements).
