Description | This article describes how to allow SSL VPN web mode to visit remote servers through an IPsec tunnel. |
Scope | FortiGate. |
Solution |
Topology:
To visit the remote server, it is necessary to make sure the below is configured:
1) The IPSec tunnel interface needs to have an IP address. Because of the web mode traffic will initial from the Fortigate1 IPsec tunnel interface.
"148 # id=20085 trace_id=1 func=print_pkt_detail line=5810 msg="vd-root:0 received a packet(proto=1, 172.16.1.1:1280->10.57.1.172:2048) from local. type=8, code=0, id=1280, seq=1.""
Running 'diagnose debug' commands can find the traffic coming from 172.16.1.1, which is the IPsec tunnel IP address.
Note that if no IP address is assigned to IPsec tunnel interface, FortiGate will select the WAN interface IP address as the source, which leads to the connection failing.
"148 # id=20085 trace_id=111 func=print_pkt_detail line=5810 msg="vd-root:0 received a packet(proto=1, 10.56.241.148:4352->10.57.1.172:2048) from local. type=8, code=0, id=4352, seq=1.""
10.56.241.148 is the wan interface IP address.
2) Make sure that the tunnel IP address is in IPsec phase2 selectors so that the traffic is not blocked.
3) Even though we can find from the log that traffic is from local, it is still necessary to create a policy allowing from SSL-VPN tunnel interface to IPsec tunnel IP interface, and the reverse policy.
After the above steps, mode access can ping or RDP remote server.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.