Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msander
Staff
Staff

Created on ‎10-02-2019 12:45 AM

Article Id 191889

Technical Tip: How to perform routing between SSLVPN Clients

Description
This article describes how to enable routing between SSLVPN clients. This would be required for Peer-to-Peer communication like Microsoft Skype Phone Calls.

Solution
1) Create a SSLVPN Address Range
#config firewall address
#edit "SSLVPN_TUNNEL_ADDR1"
#set type iprange
#set associated-interface "ssl.root"
#set start-ip 10.212.134.1
#set end-ip 10.212.134.254
#next
#end
2) Create a routeable 'Dummy' Subnet, which matches the SSLVPN Range
#config firewall address
#edit "SSLVPN-Subnet"
#set subnet 10.212.134.0 255.255.255.0
#next
#end
Optional: Enable Split-Tunneling on the SSLVPN Portal if required
#config vpn ssl web portal
#edit "full-access"
#set tunnel-mode enable
#set split-tunneling enable <<<<<
#set ip-pools "SSLVPN_TUNNEL_ADDR1"
#set dns-server1 1.2.3.4
#set dns-suffix domain.local
#next
#end
Note: If the 'split-tunneling-routing-address' is not specified, FortiGate will create the routes based on the authorized SSLVPN Policies.

4) Create a Firewall policy from SSL to SSL without NAT, which contains the Subnet as destination
#config firewall policy
#edit 1
#set srcintf "ssl.root"
#set dstintf "ssl.root"
#set srcaddr "SSLVPN_TUNNEL_ADDR1" <<<< Tunnel IP Range
#set dstaddr "SSLVPN-Subnet" <<<< Created Subnet Object
#set action accept
#set schedule "always"
#set service "ALL"
#set groups "Backup" <<<< Usergroup which is authorized to use this policy
#set nat disabled <<<< No NAT required
#next
#end

Result:

Client A has Tunnel IP 10.212.134.1
Client B has Tunnel IP 10.212.134.2

Ping from Client A to Client B works fine:

ping 10.212.134.2
PING 10.212.134.2 (10.212.134.2) 56(84) bytes of data.
64 bytes from 10.212.134.2: icmp_seq=1 ttl=127 time=25.1 ms
64 bytes from 10.212.134.2: icmp_seq=2 ttl=127 time=25.2 ms
64 bytes from 10.212.134.2: icmp_seq=3 ttl=127 time=25.9 ms
64 bytes from 10.212.134.2: icmp_seq=4 ttl=127 time=24.3 ms

Also the clients have received the correct routes:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.212.134.0    host-ftnt    255.255.255.0   UG    0      0        0 ppp0
192.168.249.0   host-ftnt    255.255.255.0   UG    0      0        0 ppp0
192.168.250.0   host-ftnt    255.255.255.0   UG    0      0        0 ppp0

Labels:
18047
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.