Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pprior
New Contributor II

SSL VPN to Site2Site VPN

Hi!

 

I've 2 Fortigate 40 with a IPSEC tunnel, working great.

Then in each one, I've a SSL vpn for client pc's, they can access local lan in both sites.

Problem is I need to allow access to Site 1 using SSL vpn on Site2.

Tried to adapt this https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/45836/ssl-vpn-to-ipsec-vpn but cant get it to work.

On Site2 I created a policy to allow SSLVPN traffic to access the VPN tunnel:

Income - SSLVPN

Outgoing - IPSEC Tunnel

Source - IP range for SSL and the ssl user group

Destination - The remote subnet on Site1

Tried with and without NAT, but doesnt work.

 

Don´t I need a policy to allow in Site1 also? Tried that also, but doesnt work.

 

Can anyone help or point another example?

 

Thansk in advanced

1 Solution
ntaneja
Staff
Staff

Hi pprior

 

If the config part is verified as per document shared. Please run below commands and share the output

 

* Login to FGT using putty ssh, log session and run below commands: 
diag debug reset 
diag debug en 
diag debug console timestamp enable 
diag debug flow filter clear 
diag debug flow filter addr X.X.X.X <<------[Replace X.X.X.X with Destination behind site B] 
diag debug flow filter proto 1 
diag debug flow trace start 999

Before executing above commands, ensure that there is no existing sessions from the IP . After executing above commands, connect sslvpn and ping to destination IP behind remote side. Once you see the output generated, enter following commands to turn off debugging- 

diag debug disable 
diag debug reset 

Share the client IP , dst IP for analysis

Log putty sessions first to both devices and then generate traffic.

 

 

Thanks

View solution in original post

16 REPLIES 16
pprior
New Contributor II

Got his info:

get router info routing-table details 10.212.130.1

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 5, metric 0, best
* ext.ip.98.1, via lan3

pprior
New Contributor II

SOLVED!!!

after creating a static route and a policy to allow traffic from SITE1 to SSL VPN in SITE 2, it started pinging.

 

Thank you NTANEJA and all  the other for the support!

Great Forum.

Muhammad_Haiqal

Hi there,

FGT1 IPSEC with FGT2.

SSLVPN connect to FGT2.
You want to access network on FGT1.

Here is the general idea:

On FGT2:

Income - SSLVPN

Outgoing - IPSEC Tunnel

Source - All

Destination - All

No NAT

ON FGT1 and FGT2.
On IPSEC phase2, please include SSLVPN ip range.
Looking at your summary, you are missing SSLVPN range on the Phase2.

haiqal
pprior

Hi, thanks for the help!

Even with the address groups including site2 lan and site vpn subnet, still doesnt work...

fg.JPG

Muhammad_Haiqal

Please add the phase2 on both site. Make sure your static route using "to_FV_remote" Interface Site2Site. Im suspecting this issue related to routing now.

haiqal
EEHC

These are the first points I would going to ask about.

EEHC
EEHC
EEHC
Contributor

I believe we have to check routing at the ends to ensure that the packets go through the tunnel. Also, we could check the log on FortiGate to confirm that the correct policies are matched. Normally, problems start at the routing and ends at the policy.

EEHC
EEHC
Labels
Top Kudoed Authors