Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
veechee
New Contributor

Changed from static to OSPF for S2S VPNs, but now can't reach other site via SSLVPN

Hi all,

 

Been a while since I posted!  I am hoping somebody can help me figure out an issue!

 

BACKGROUND: I have two sites interconnected with three IPSec VPN tunnels.  I used to use static routing to prioritize them, but yesterday I changed to OSPF (following this document as a guide: http://docs.fortinet.com/uploaded/files/1693/using-redundant-OSPF-routing-over-IPsec-VPN.pdf).  It is working fine now between the two sites except for a couple of issues.

 

ISSUE 1:

When we use SSL VPN (always tunnel mode), we need resources at both sites (mainly file shares).  Since the change to OSPF, only resources in the office we connect to can be reached.  I have added the remote interface IPs for the IPSec interfaces for all policies on both FGTs just as they were for the site-to-site IPSec policies.  But traffic doesn't traverse the VPNs.  A traceroute goes nowhere.

 

ISSUE 2:

There are a couple of private subnets outside of the site 1 FGT (FGT1) that need to be access from site 2 (FGT2).  These subnets are defined as static routes on FGT1 with a gateway IP.  There is a policy on FGT1 to allow FGT2 IPSec tunnels to reach the WAN of FGT1, which previously, combined with a static route on FGT2, worked.  But with OSPF, even though I have advertised those subnets on FGT1, I cannot ping resources on those subnets.

 

I am totally new to OSPF... Happy it's working for the S2S VPNs, but I badly need ISSUE 1 fixed so I can keep using it!

 

Appreciate any and all help.

4 REPLIES 4
veechee
New Contributor

Adding some more info that I think may be relevant:

- Obviously, there is a static route declared for ssl.root on each FGT.  I used 10.x.99.192/255.255.255.192 for it.

- Only few /24 subnets are actually in use on each FGT, however, the routing declaration in OSPF on each box is a /16.  I carried this over from my old static routes, as I had given a /16 to each office before in static routes so I didn't have to maintain so many static routes (remember, I have three WAN interfaces at one site...).  So I declare 10.x.0.0/255.255.0.0 in OSPF.

In the routing monitor, I see that OSPF figures out what subnet is actually used (e.g., 10.x.x.0/24).  Could I be having an issue that my declared OSPF subnet crosses over with my SSLVPN subnet?  I don't think so, but putting it out there...

obfuscated
New Contributor II

 

 

In the routing table of Fortigate A (You may have a pet name for it?) do you have an OSPF route for the address range you have assigned the SSL Users when they tunnel into Fortigate B (and vica versa).  If OSPF is not advertising this network across the link then the traffic will go from A to B but it wont know how to get back.  Its then defining how these are advertised or redistributed from a static?

 

 

Ob

emnoc
Esteemed Contributor III

The diag debug flow is your best friend.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
veechee
New Contributor

Getting back to this...

 

Leaving SSLVPN issues aside, the OSPF has been working well interoffice as all three WAN lines at the remote office are kept up all the time and transfer some data, which I like.

What bothers me though, is if WAN1 goes down (rare since it is the connection with an SLA and moves most of the traffic), I lose all three connections.  OSPF doesn't seem to failover the routing traffic from the WAN1 interface, so all traffic stops.  What do I need to do in order to have WAN2 or WAN3 become an alternate line to move the routing information?

Labels
Top Kudoed Authors