|
Working with SSL VPN Web Mode, create a personal Bookmark to connect internal resources.
When the Bookmark is used by the user, the FortiGate creates a local connection from Fortigate to the remote resource. The FortiGate will use the source IP as the local IP of the interface getting out to reach the internal resource.
[SSLVPN Bookmark] Foritgate [Internal1 - IP x.x.x.x] <-> [y.y.y.y] WebServer.
The TCP packet will form as following:
src.ip x.x.x.x,dst.ip y.y.y.y, src.port aaaa, dst.port 443
There are situations where customers will use a different IP other than the Internal1 (x.x.x.x), usually, an IP Pool is this option.
After FortiOS v6.4.9, v7.0.1 and v7.2.0 the way to manage this traffic in FortiOS changed because of optimization of the kernel processing flow.
For example, by having the following topology and following configuration we can demonstrate the behavior.
Internet -> [VPN SSL Bookmark] Fortigate1 [ippool] <-> IPSec <-> [Fortigate2] <-> WebSever [10.120.0.52.8080]
# config vpn ssl web portal
edit "web-access"
set web-mode enable
config bookmark-group
edit "gui-bookmarks"
config bookmarks
edit "ApacheTest"
set url "http://10.120.0.52:8080"
next
end
next
end
next
# config firewall ippool
edit "Test"
set startip 172.26.6.5
set endip 172.26.6.5
next
end
# config firewall policy
edit 3
set name "ToVpn"
set srcintf "ssl.root"
set dstintf "VPN-V-LATIS"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set ippool enable
set poolname "Test"
set groups "VpnGroup"
set nat enable
next
The IPSec SA selectors are specific to IP Pool 172.26.6.5 by company policy restrictions.
# config vpn ipsec phase2-interface
edit "Prueba SSL Latis"
set phase1name "VPN-V-LATIS"
set proposal 3des-sha1
set pfs disable
set keylifeseconds 3600
set src-subnet 172.26.6.5 255.255.255.255
set dst-subnet 10.120.0.0 255.255.255.0
next
end
# config router static
edit 1
set dst 10.120.0.0 255.255.255.0
set device "VPN-V-LATIS"
next
end
Only enabling the IP Pool on the firewall policy the SSL VPN Bookmark will fail, because the packet responds sync/ack from WebServer will be forward to the Internet since FG don't recognize the connection as local.
# diagnose sniffer packet any '10.120.0.52' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.120.0.52]
2022-06-15 08:25:03.327261 VPN-V-LATIS out 172.26.6.5.9773 -> 10.120.0.52.8080: syn 1295851828
2022-06-15 08:25:03.327994 VPN-V-LATIS in 10.120.0.52.8080 -> 172.26.6.5.9773: syn 2859351378 ack 1295851829
2022-06-15 08:25:03.328017 port1 out 10.120.0.52.8080 -> 172.26.6.5.9773: syn 2859351378 ack 1295851829
To FortiGate recognize this traffic as local, define IP pool addresses as the secondary IPs for the outgoing interface or use a loopback interface.
Creating the loopback interface the SSL VPN Bookmark works.
# config system interface
edit "Lo0"
set ip 172.26.6.5 255.255.255.255
set type loopback
set snmp-index 14
next
end
The sync/ack now is handled by FortiGate and the Web server works.
The syn/ack is routed through the root to be processed by FortiGate.
# diagnose sniffer packet any 'host 10.120.0.52' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.120.0.52]
2022-06-15 08:39:47.460948 VPN-V-LATIS out 172.26.6.5.18717 -> 10.120.0.52.8080: syn 420135737
2022-06-15 08:39:47.462019 VPN-V-LATIS in 10.120.0.52.8080 -> 172.26.6.5.18717: syn 3796813690 ack 420135738
2022-06-15 08:39:47.462046 VPN-V-LATIS out 172.26.6.5.18717 -> 10.120.0.52.8080: ack 3796813691
2022-06-15 08:39:47.462229 VPN-V-LATIS out 172.26.6.5.18717 -> 10.120.0.52.8080: psh 420135738 ack 3796813691
2022-06-15 08:39:47.463465 VPN-V-LATIS in 10.120.0.52.8080 -> 172.26.6.5.18717: ack 420136418
|
