FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to enable routing between SSLVPN clients. This would be required for Peer-to-Peer communication like Microsoft Skype Phone Calls.
Note: If the 'split-tunneling-routing-address' is not specified, FortiGate will create the routes based on the authorized SSLVPN Policies.
4) Create a Firewall policy from SSL to SSL without NAT, which contains the Subnet as destination
#config firewall policy #edit 1 #set srcintf "ssl.root" #set dstintf "ssl.root" #set srcaddr "SSLVPN_TUNNEL_ADDR1" <<<< Tunnel IP Range #set dstaddr "SSLVPN-Subnet" <<<< Created Subnet Object #set action accept #set schedule "always" #set service "ALL" #set groups "Backup" <<<< Usergroup which is authorized to use this policy #set nat disabled <<<< No NAT required #next #end
Result:
Client A has Tunnel IP 10.212.134.1 Client B has Tunnel IP 10.212.134.2
Ping from Client A to Client B works fine:
ping 10.212.134.2 PING 10.212.134.2 (10.212.134.2) 56(84) bytes of data. 64 bytes from 10.212.134.2: icmp_seq=1 ttl=127 time=25.1 ms 64 bytes from 10.212.134.2: icmp_seq=2 ttl=127 time=25.2 ms 64 bytes from 10.212.134.2: icmp_seq=3 ttl=127 time=25.9 ms 64 bytes from 10.212.134.2: icmp_seq=4 ttl=127 time=24.3 ms
Also the clients have received the correct routes:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.212.134.0 host-ftnt 255.255.255.0 UG 0 0 0 ppp0 192.168.249.0 host-ftnt 255.255.255.0 UG 0 0 0 ppp0 192.168.250.0 host-ftnt 255.255.255.0 UG 0 0 0 ppp0
