Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
obrienw
New Contributor

SSL-VPN traffic not passed through Site-to-Site IPSec VPN

I' m not able to access a branch office on the other side of an IPsec VPN when I SSL-VPN into the HQ. However I' ve found a workaround using IP Routing in Windows every time I connect, but I' m kind of curious why that' s required. HQ - FG110C, v4 MR3, Subnets 10.0.0.0/24, 10.1.0.0/24 Branch Office FWF40C, v4 MR3, Subnet 10.6.0.0/24 IPsec VPN (route/interface based) between the two offices. Works fine inside either office. SSL-VPN on the HQ FortiGate (IP Pool: 172.32.254.0/23). Works fine to the HQ subnets. Split-tunneling is on. Policies on both FGs allow traffic to and from the ssl.root interface and the ssl.root subnet (172.32...) via the IPsec interface. Using FortiClient 4.3.5.472. When I SSL-VPN into the HQ FG, I checked the IP Routes (Windows) and noticed that the 10.0.0.0/24 and 10.1.0.0/24 subnets were added, routed through gateway 172.32.254.2 (the fortissl adapter gateway). So I just added a route: route add 10.6.0.0 mask 255.255.255.0 172.32.254.2 if 51 (where 51 is the fortissl interface id number) and blammo, traffic goes through just fine. Any idea why the branch office subnet isn' t automatically being handled by the FortiClient?
2 REPLIES 2
Carl_Wallmark
Valued Contributor

You need to add the 10.6.0.0 network to your SSLVPN configuration so that the Fortigate pushes that network out to the FortiClient. Its done in the firewall policy in " destination address" .

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
obrienw

Got it, thank you. For clarification, this is under the (HQ) wan1 -> port1, Action: SSL-VPN policy. The destination addresses listed there are what are sent to the SSL-VPN client.
Labels
Top Kudoed Authors