FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ChrisTan
Staff
Staff
Article Id 218532
Description This article describes how to allow SSL VPN web mode to visit remote servers through an IPsec tunnel.
Scope FortiGate.
Solution

Topology:

ChrisTan_0-1658902068971.png

 

To visit the remote server, it is necessary to make sure the below is configured:

 

1) The IPSec tunnel interface needs to have an IP address. Because of the web mode traffic will initial from the Fortigate1  IPsec tunnel interface.

 

"148 # id=20085 trace_id=1 func=print_pkt_detail line=5810 msg="vd-root:0 received a packet(proto=1, 172.16.1.1:1280->10.57.1.172:2048) from local. type=8, code=0, id=1280, seq=1.""

 

Running 'diagnose debug' commands can find the traffic coming from 172.16.1.1, which is the IPsec tunnel IP address.

 

Note that if no IP address is assigned to IPsec tunnel interface, FortiGate will select the WAN interface IP address as the source, which leads to the connection failing.

 

"148 # id=20085 trace_id=111 func=print_pkt_detail line=5810 msg="vd-root:0 received a packet(proto=1, 10.56.241.148:4352->10.57.1.172:2048) from local. type=8, code=0, id=4352, seq=1.""

 

10.56.241.148 is the wan interface IP address.

 

2) Make sure that the tunnel IP address is in IPsec phase2 selectors so that the traffic is not blocked.

 

3) Even though we can find from the log that traffic is from local, it is still necessary to create a policy allowing from SSL-VPN tunnel interface to IPsec tunnel IP interface, and the reverse policy.

 

ChrisTan_0-1658905337044.png

 

After the above steps, mode access can ping or RDP remote server.

 

ChrisTan_0-1658963893638.png
Contributors