Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sripudaman
Staff
Staff

Created on ‎03-11-2022 09:36 AM Edited on ‎08-18-2025 06:33 AM By Moderator

Article Id 206678

Technical Tip: U-turn traffic from SSL VPN to IPsec site-to-site tunnel

Description

 

This article describes how to U-turn traffic from the remote SSL VPN client to an IPsec site-to-site tunnel.

 

Scope

 

FortiGate all versions.

 

Solution

 

Users may face issues while accessing remote subnets across IPsec tunnels from its local SSLVPN users as source as shown in the below topology. 

 

Capture6.PNG

 

The requirement is to send the traffic from SSL users to the remote subnet across the IPsec tunnel and vice-versa. It can be achieved through the following configurations:

 

Configuration:

 

If the split tunnel is enabled in SSL VPN, make sure the subnet of the remote peer (192.168.1.0/24) is included in the 'Routing Address' field of the split tunneling configuration in the 'Edit SSL VPN Portal' configuration of the local FortiGate. If it is a full tunnel, then no change is required in SSL VPN portal settings.

 

Capture3.PNG

 

Ensure the traffic is allowed in the traffic selectors in the Phase 2 configuration of the site-to-site tunnel.

 

Capture4.PNG

 

The highlighted is the assigned IP range for SSL VPN.

 

Note:

There will also be a need to configure a phase-2 selector in the remote peer with the local address being 192.168.1.0/24 and the remote address will be the SSL VPN IP range/subnet: 10.212.134.192/28. Not configuring this will fail to establish the connection between the two subnets.

Ensure the Ipv4 policy is in place for U-turn of traffic. The traffic should be allowed between ssl.root interface and Site to Site tunnel interface.

 

Capture5.PNG

 

Ensure NAT is disabled and a route for the remote subnet of 192.168.1.0/24 is present. On the peer side ensure the route for the SSL VPN subnet is configured.

 

The traffic will be able to U-turn the SSL traffic to the IPsec tunnel.

6835
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.