FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to add SSL-VPN pool subnet into the OCVPN overlay.
Scope
All FortiOS versions.
Solution
- This error is seen because FortiGate by default performs a route lookup for the local subnet being added in OCVPN.
- In the case of SSL-VPN pool, since no route for this subnet is available in the routing table, the error 'Only internal subnets are allowed' is displayed on GUI.
- The workaround is to add a dummy route as below on FortiGate for the SSL-VPN subnet which should resolve the issue in hand:
Create a static route such that:
subnet : ssl vpn pool gateway: let this be 0.0.0.0 Interface: ssl.root.
