Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RegGel
New Contributor

SSL VPN traffic problem with IPsec VPN to Azure VWAN

Hi All,

 

I have setup an IPsec VPN to Azure VWAN based on the FortiNet Cookbook article. 

Cookbook | FortiGate / FortiOS 6.2.11 | Fortinet Documentation Library

 

It is working, and BGP is Advertising routes from the Internal LAN to Azure and vice versa.

 

My problem is that, when connecting to the FortiGate using the SSL VPN, I cannot use services hosted in Azure. Azure does not have a route back to my VPN IP range. I assume this is because the VPN pool is not considered an Internal Network.

 

I think the way to solve this is to create a new VLAN on the LAN side (which will be advertised via BGP) and use NAT from the VPN Pool to the LAN network.

 

Is this the correct approach to solve this problem? If so, could someone point me in the correct direction as to how to do this?

 

Regards,

Rob.

1 Solution
akumarr
Staff
Staff

Dear Rob.

Hope you are doing well.
So basically you are unable to access the AZURE lan subnet from the fortigate SSL VPN users?

Could you please try the below and check if this helps?

Create a policy From Fortigate SSL VPN interface(As incoming interface) to AZUER VPN interface(As outgoing interface) , allow source ,destination and services.
Enable the NAT and create a dynamic address (You can use your fortigate LAN address as NAT address) and save the policy.

After that try to access the azure LAN site.

The above policy basically sends the packet with Fortigate LAN address as the source, and since the AZure already has a route to reach the Fortigate LAN the traffic will be routed back.

Please let me know if you have any queries.

Best regards,
ARUNKUMAR.R.

View solution in original post

2 REPLIES 2
akumarr
Staff
Staff

Dear Rob.

Hope you are doing well.
So basically you are unable to access the AZURE lan subnet from the fortigate SSL VPN users?

Could you please try the below and check if this helps?

Create a policy From Fortigate SSL VPN interface(As incoming interface) to AZUER VPN interface(As outgoing interface) , allow source ,destination and services.
Enable the NAT and create a dynamic address (You can use your fortigate LAN address as NAT address) and save the policy.

After that try to access the azure LAN site.

The above policy basically sends the packet with Fortigate LAN address as the source, and since the AZure already has a route to reach the Fortigate LAN the traffic will be routed back.

Please let me know if you have any queries.

Best regards,
ARUNKUMAR.R.
RegGel
New Contributor

Thank you ever so much. That worked perfectly.