Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Duncan
New Contributor III

Web portal traffic coming from MGMT port when traversing PtP IPsec VPN

We have been using the remote access SSL VPN for sometime. We were using a private WAN to connect our three sites together. Recently, we removed the WAN and setup a site-to-site IPsec VPN over the Internet. This has been working fine for a few weeks except today I noticed a problem. I cannot connect to resources over the IPsec VPN from the remote access web portal. We especially use the RDP option. I have been playing around with firewall rules and it all looks good. I now believe the problem is because the traffic is originating from the default MGMT IP (192.168.1.99). I know this because a sniffer reveals this:

49.628847 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478 50.622905 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478 52.623622 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478 56.635057 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478 64.667940 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478 This seems to only apply to the web portal traversing over the IPsec VPN. If I remove anyone of those, it works fine. Does anyone know if it is possible to change the originating IP? Alternatively, I guess I could reconfigure this management IP to be inside our site ranges.

 

Three sites

Three FortiGates: 200E, 100E, 100E

All running 6.0.7

2 Solutions
Toshi_Esumi
Esteemed Contributor II

First, you're using web mode SSL VPN. If it's a tunnel mode with FortiClient, individual users have own source IP you set in a pool. Second, you don't seem to have an IP address configured on the tunnel interface "VPNInt". If you're using interface mode/route-base IPsec (phase1-interface/phase2-interface) you're supposed to set an IP on both ends of the tunnel. Then in this case, that IP would be used to access the remote resources over the tunnel.

View solution in original post

Toshi_Esumi
Esteemed Contributor II

You can find some example if you search with "FortiGate site-to-site VPN CLI configuration" on the internet. But it's so simple I'll explain it here: It's under "config sys int". After getting into "edit VPNInt", just run "show" to see what's configured now. Then add below to the existing config. Below IPs are just an example. You can change them to any private IP set. config sys interface    edit VPNInt       set ip 10.0.0.1 255.255.255.255       set allowaccess ping       set remote-ip 10.0.0.2 255.255.255.255    next end You need to reverse "set ip" and "set remote-ip" on the other end obviously. Don't worry about /32 net-mask. Because these two /32s would be injected into the routing-table as "connected routes" separately. So they don't actually have to be in a /30 but better to be in in case the other side is not a FGT. GUI config exmaples often don't have this part of config, which I hate. Because it causes problems like yours and denying the biggest benefit of "interface mode/route-base" IPSec vs. "policy-base". You can treat it just like a regular interface on a router. 

View solution in original post

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor II

First, you're using web mode SSL VPN. If it's a tunnel mode with FortiClient, individual users have own source IP you set in a pool. Second, you don't seem to have an IP address configured on the tunnel interface "VPNInt". If you're using interface mode/route-base IPsec (phase1-interface/phase2-interface) you're supposed to set an IP on both ends of the tunnel. Then in this case, that IP would be used to access the remote resources over the tunnel.

Duncan
New Contributor III

Thanks mate. That makes sense. I don't recall reading about setting a IP in the tutorial. How is this done? Via standard CLI interface commands I assume. Can you point me in the direction of the doco?

Toshi_Esumi
Esteemed Contributor II

You can find some example if you search with "FortiGate site-to-site VPN CLI configuration" on the internet. But it's so simple I'll explain it here: It's under "config sys int". After getting into "edit VPNInt", just run "show" to see what's configured now. Then add below to the existing config. Below IPs are just an example. You can change them to any private IP set. config sys interface    edit VPNInt       set ip 10.0.0.1 255.255.255.255       set allowaccess ping       set remote-ip 10.0.0.2 255.255.255.255    next end You need to reverse "set ip" and "set remote-ip" on the other end obviously. Don't worry about /32 net-mask. Because these two /32s would be injected into the routing-table as "connected routes" separately. So they don't actually have to be in a /30 but better to be in in case the other side is not a FGT. GUI config exmaples often don't have this part of config, which I hate. Because it causes problems like yours and denying the biggest benefit of "interface mode/route-base" IPSec vs. "policy-base". You can treat it just like a regular interface on a router. 

Duncan
New Contributor III

Thanks mate. Worked a treat.