FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mricardez
Staff
Staff
Description This article discusses the reason SSL VPN Bookmark failed when IP Pool is used in the policy.
Scope FortiOS 6.4.9, 7.0.1, 7.2.0 and earlier.
Solution

Working with SSL VPN Web Mode, create a personal Bookmark to connect internal resources.

 

When the Bookmark is used by the user, the FortiGate creates a local connection from Fortigate to the remote resource. The FortiGate will use the source IP as the local IP of the interface getting out to reach the internal resource.

 

[SSLVPN Bookmark] Foritgate [Internal1 - IP x.x.x.x] <->  [y.y.y.y] WebServer.

 

The TCP packet will form as following:

 

src.ip x.x.x.x,dst.ip y.y.y.y, src.port aaaa, dst.port 443

 

There are situations where customers will use a different IP other than the Internal1 (x.x.x.x), usually, an IP Pool is this option.

 

After FortiOS v6.4.9, v7.0.1 and v7.2.0 the way to manage this traffic in FortiOS changed because of optimization of the kernel processing flow.

 

For example, by having the following topology and following configuration we can demonstrate the behavior.

 

Internet -> [VPN SSL Bookmark] Fortigate1 [ippool] <-> IPSec <-> [Fortigate2] <-> WebSever [10.120.0.52.8080]

 

# config vpn ssl web portal
    edit "web-access"
        set web-mode enable
        config bookmark-group
            edit "gui-bookmarks"
                config bookmarks
                    edit "ApacheTest"
                        set url "http://10.120.0.52:8080"
                    next
                end
            next
        end
    next

 

# config firewall ippool
    edit "Test"
        set startip 172.26.6.5
        set endip 172.26.6.5
    next
end

 

# config firewall policy

edit 3

set name "ToVpn"
set srcintf "ssl.root"
set dstintf "VPN-V-LATIS"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set ippool enable
set poolname "Test"
set groups "VpnGroup"
set nat enable

next

 

 

The IPSec SA selectors are specific to IP Pool 172.26.6.5 by company policy restrictions.

 

# config vpn ipsec phase2-interface
    edit "Prueba SSL Latis"
        set phase1name "VPN-V-LATIS"
        set proposal 3des-sha1
        set pfs disable
        set keylifeseconds 3600
        set src-subnet 172.26.6.5 255.255.255.255
        set dst-subnet 10.120.0.0 255.255.255.0
    next
end

# config router static
    edit 1
        set dst 10.120.0.0 255.255.255.0
        set device "VPN-V-LATIS"
    next
end

 

Only enabling the IP Pool on the firewall policy the SSL VPN Bookmark will fail, because the packet responds sync/ack from WebServer will be forward to the Internet since FG don't recognize the connection as local.

 

# diagnose sniffer packet any '10.120.0.52' 4 0 l

Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.120.0.52]
2022-06-15 08:25:03.327261 VPN-V-LATIS out 172.26.6.5.9773 -> 10.120.0.52.8080: syn 1295851828
2022-06-15 08:25:03.327994 VPN-V-LATIS in 10.120.0.52.8080 -> 172.26.6.5.9773: syn 2859351378 ack 1295851829
2022-06-15 08:25:03.328017 port1 out 10.120.0.52.8080 -> 172.26.6.5.9773: syn 2859351378 ack 1295851829

To FortiGate recognize this traffic as local, define IP pool addresses as the secondary IPs for the outgoing interface or use a loopback interface.

 

Creating the loopback interface the SSL VPN Bookmark works.

 

# config system interface
    edit "Lo0"
        set ip 172.26.6.5 255.255.255.255
        set type loopback
        set snmp-index 14
    next
end

 

The sync/ack now is handled by FortiGate and the Web server works.
The syn/ack is routed through the root to be processed by FortiGate.

 

# diagnose sniffer packet any 'host 10.120.0.52' 4 0 l

Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.120.0.52]
2022-06-15 08:39:47.460948 VPN-V-LATIS out 172.26.6.5.18717 -> 10.120.0.52.8080: syn 420135737
2022-06-15 08:39:47.462019 VPN-V-LATIS in 10.120.0.52.8080 -> 172.26.6.5.18717: syn 3796813690 ack 420135738
2022-06-15 08:39:47.462046 VPN-V-LATIS out 172.26.6.5.18717 -> 10.120.0.52.8080: ack 3796813691
2022-06-15 08:39:47.462229 VPN-V-LATIS out 172.26.6.5.18717 -> 10.120.0.52.8080: psh 420135738 ack 3796813691
2022-06-15 08:39:47.463465 VPN-V-LATIS in 10.120.0.52.8080 -> 172.26.6.5.18717: ack 420136418

 

 

 

Contributors