I would like to connect directly from the SSL-VPN segment to the spokes segment.
This is network layout.
[PC]--<Internet SSLVPN>----[FGT60E@HUB]----<IPsecVPN>----[FGT60E@SPOKE1]----[LAN@SPOKE1]
|
|
|
----<IPsecVPN>----[FGT60E@SPOKE2]----[LAN@SPOKE2]
・Connection 1 below will be connected.
1-1.Connect to SSL-VPN via the Internet(IP address assignment by DHCP)
1-2.RDP connection from SSL-VPN segment to [FGT60E@HUB-LAN] segment's PC
1-3.Connection from that PC to [LAN@SPOKE1] segment's PC
・Connection 2 below will be not connected.
1-1.Connect to SSL-VPN via the Internet(IP address assignment by DHCP)
1-2.RDP connection from SSL-VPN segment to [LAN@SPOKE1] segment's PC
I want to implement Connection 2.
In addition to the LAN interface, [FGT60E@HUB] also has a DMZ interface.
When I ran TRACEROUTE at Conneciton2, the next hop reached the DMZ interface, resulting in an error.
I'm wondering if I need to add more routing or change the priority.
There is no problem <IPSecVPN>.
config [FGT60E@HUB] is as follows.
config system interface
edit "wan1"
set mode pppoe
set role wan
next
edit "dmz"
set ip 192.168.1.254 255.255.255.0
next
edit "internal"
set ip 172.16.1.254 255.255.255.0
next
config firewall policy
edit 1
set srcintf "ssl.root"
set dstintf "spoke1"
set srcaddr "all"
set dstaddr "LAN@SPOKE1"
set action accept
set schedule "always"
set service "ALL"
set groups "SSL-VPN-GRP"
set nat enable
next
edit 2
set srcintf "ssl.root"
set dstintf "spoke2"
set srcaddr "all"
set dstaddr "LAN@SPOKE2"
set action accept
set schedule "always"
set service "ALL"
set groups "SSL-VPN-GRP"
set nat enable
next
config router static
edit 1
set dst [IP address]
set device "spoke1"
next
edit 2
set dst [IP address]
set device "spoke2"
next
Regards
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey squid-c,
this is maybe a stupid question, but:
- you have policies from SSLVPN to spoke1 IPSec, and spoke2 IPSec, correct?
- those policies have NAT enabled?
-> the interfaces "spoke1" and "spoke2" are IPSec tunnel interfaces, I assume?
-> do the tunnel interfaces even have IPs set?
- usually, I see setup to allow traffic from SSLVPN to IPSec VPN as follows:
-> have routing and policies in place, and NO NAT
-> add the SSLVPN client IP range (set in SSLVPN settings and/or individual portals) to local P2 selectors in IPSec VPN
-> ensure the remote site has a route back for that subnet, allows the SSLVPN subnet, and has it added to P2 selectors
As an easier alternative (to integrate into existing IPSec setups), when you enable NAT in the policies simply ensure the traffic from SSLVPN has a source NAT to an IP that matches to existing P2 selectors (like NAT to an IP in the local LAN range).
IF the issue is with NAT as I suspect, either of the two options (NAT to something aside from interface IP, or disable NAT and route the sslvpn range) should resolve it,
Hey squid-c,
this is maybe a stupid question, but:
- you have policies from SSLVPN to spoke1 IPSec, and spoke2 IPSec, correct?
- those policies have NAT enabled?
-> the interfaces "spoke1" and "spoke2" are IPSec tunnel interfaces, I assume?
-> do the tunnel interfaces even have IPs set?
- usually, I see setup to allow traffic from SSLVPN to IPSec VPN as follows:
-> have routing and policies in place, and NO NAT
-> add the SSLVPN client IP range (set in SSLVPN settings and/or individual portals) to local P2 selectors in IPSec VPN
-> ensure the remote site has a route back for that subnet, allows the SSLVPN subnet, and has it added to P2 selectors
As an easier alternative (to integrate into existing IPSec setups), when you enable NAT in the policies simply ensure the traffic from SSLVPN has a source NAT to an IP that matches to existing P2 selectors (like NAT to an IP in the local LAN range).
IF the issue is with NAT as I suspect, either of the two options (NAT to something aside from interface IP, or disable NAT and route the sslvpn range) should resolve it,
Sorry for the late reply.
This is solved. (I made sure his advice was set up properly.)
>In addition to the LAN interface, [FGT60E@HUB] also has a DMZ interface.
The cause was that the DMZ interface's type was 「physical」 interface.
Resolve it by changing the type to 「switch」 interface.
I think there is something wrong with the physical interface, but I don't really understand the cause.
It's resolved for now, but I'm still wondering.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.