Created on 02-27-2017 03:46 AM Edited on 10-26-2022 12:23 AM By Jean-Philippe_P
Description
Solution
LAN B ----- Remote Firewall B ----- IPsec VPN tunnel ----- FortiGate A ----- LAN A
(192.168.1.0/24) (172.27.16.0.0/24)
FortiGate A (wan)------------------------SSL VPN user (ip range 10.100.100.1- 10.100.100.14)
- For SSL-VPN configuration refer to the SSL VPN user guide.
- For Site to site IPsec VPN, refer to the IPSEC VPN user guide.
- SSL VPN users are assigned addresses from pol 10.100.100.1 - 10.100.100.14.
- If split tunnel is enabled, make sure that LAN B subnet (192.168.1.0/24) is access list.
- If the SSL user wants to access the internal DNS on the remote side of IPSec tunnel for internal DNS resolution add the DNS server IP. Can be added by CLI or by GUI as shown below:
- By CLI:
# config vpn ssl settings
set dns-server1 192.168.1.x <- Address of remote DNS Server
- By GUI:
- Virtual IPSec interface name: ipsec-vpn.
- Add additional phase 2 traffic selector.
Local : 10.1000.100.0/28
Remote : 192.168.1.0/24
(FortiGate B internal network 192.168.1.0/24)
Action: Accept
FortiGate B Configuration:
- Virtual IPSec interface name: FortigateB-vpn.
- Add additional phase 2 traffic selector.
Local : 192.168.1.0/24
Remote : 10.100.100.0/28
Firewall policy
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.