Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
D-hg
New Contributor III

Created on ‎03-03-2023 11:32 PM

Forticlient Remote Access toward another IPSec tunnel location

Hello,

 

I have 2 sites with fortigates connected by IPsec, both can reach each other.

I wanted to know if there is a possibility to be connected with Forticlient at the site A, and be able to reach site B ?

I tried to do a Firewall policy from the Site A tunnel IPSec FortiClient to the Tunnel towards the site B, but it's not working, maybe it's not possible and I'm totally wrong.

 

Many thanks for your help !

 

Labels:
1043
0 Kudos
1 Solution
D-hg
New Contributor III

Created on ‎03-07-2023 08:20 AM

I resolved the issue ! In the site B, Adding the SSL VPN Range ip in the firewall policy coming from the ipsec tunnel (source), the route as said by Julien and I forgot to add the phase 2 selectors in the site B also ! Many thanks for your help

View solution in original post

982
5 REPLIES 5
Julien87
Contributor II

Created on ‎03-04-2023 01:26 AM

Hi,

 

Yes it's possible, you can check this link.

https://community.fortinet.com/t5/FortiGate/Technical-Note-U-turn-traffic-from-SSL-VPN-to-IPsec-Site... 

 

best regards,

Julien
Julien
1031
0 Kudos
D-hg
New Contributor III

Created on ‎03-04-2023 03:12 PM

Many thanks for your help Julien,

 

The last sentences of the KB said :

 

Ensure NAT is disabled and Route for the remote subnet is present.

***On the peer side ensure the route for the SSL-VPN subnet is configured.

 

I'm not sure about what they want me to do it, is it a route of firewall policy that they ask me to do ?

1017
0 Kudos
Julien87
Contributor II
In response to D-hg

Created on ‎03-05-2023 09:28 AM

Hi,

 

On side remote, you need toadd a route for the SSL IP by the Tunnel (for return path).

And on each policy rules, you cannot enabled NAT, it's better. (the tunnel interface have not ip address configured by default)

 

Best regards,

Julien
Julien
1012
0 Kudos
D-hg
New Contributor III

Created on ‎03-06-2023 12:58 PM

Hello Julien,

 

Many thanks for your help, but for the moment it's still not working, I would like to know what I'm doing wrong..

Site A : Adding the remote network of the Ipsec tunnel destination

Dhg_1-1678135848253.jpeg

 

Site A :

Adding the 2nd Phase 2 selectors with the SSL subnet in local y remote subnet of IPsec Tunnel in Remote

Dhg_2-1678135962322.png

 

Site A:
Creating  the firewall policy From SSL tunnel to IPsec tunnel toward the remote site without NAT.

Dhg_3-1678136048631.png

 

Site A:

 

The route to go toward the IPsec tunnel of the remote subnet.

 

Dhg_4-1678136129720.jpeg

 

 

Site B :

 

Route destination toward the SSL subnet from Site A, with IPsec tunnel interface:

Dhg_5-1678136187904.jpeg

If you are seen something strange in my configuration, please let me know !

 

Merci beaucoup.

998
0 Kudos
D-hg
New Contributor III

Created on ‎03-07-2023 08:20 AM

I resolved the issue ! In the site B, Adding the SSL VPN Range ip in the firewall policy coming from the ipsec tunnel (source), the route as said by Julien and I forgot to add the phase 2 selectors in the site B also ! Many thanks for your help

983
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.