Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
D-hg
New Contributor III

Forticlient Remote Access toward another IPSec tunnel location

Hello,

 

I have 2 sites with fortigates connected by IPsec, both can reach each other.

I wanted to know if there is a possibility to be connected with Forticlient at the site A, and be able to reach site B ?

I tried to do a Firewall policy from the Site A tunnel IPSec FortiClient to the Tunnel towards the site B, but it's not working, maybe it's not possible and I'm totally wrong.

 

Many thanks for your help !

 

1 Solution
D-hg
New Contributor III

I resolved the issue ! In the site B, Adding the SSL VPN Range ip in the firewall policy coming from the ipsec tunnel (source), the route as said by Julien and I forgot to add the phase 2 selectors in the site B also ! Many thanks for your help

View solution in original post

5 REPLIES 5
Julien87
Contributor II

Hi,

 

Yes it's possible, you can check this link.

https://community.fortinet.com/t5/FortiGate/Technical-Note-U-turn-traffic-from-SSL-VPN-to-IPsec-Site... 

 

best regards,

Julien
Julien
D-hg
New Contributor III

Many thanks for your help Julien,

 

The last sentences of the KB said :

 

Ensure NAT is disabled and Route for the remote subnet is present.

***On the peer side ensure the route for the SSL-VPN subnet is configured.

 

I'm not sure about what they want me to do it, is it a route of firewall policy that they ask me to do ?

Julien87
Contributor II

Hi,

 

On side remote, you need toadd a route for the SSL IP by the Tunnel (for return path).

And on each policy rules, you cannot enabled NAT, it's better. (the tunnel interface have not ip address configured by default)

 

Best regards,

Julien
Julien
D-hg
New Contributor III

Hello Julien,

 

Many thanks for your help, but for the moment it's still not working, I would like to know what I'm doing wrong..

Site A : Adding the remote network of the Ipsec tunnel destination

Dhg_1-1678135848253.jpeg

 

Site A :

Adding the 2nd Phase 2 selectors with the SSL subnet in local y remote subnet of IPsec Tunnel in Remote

Dhg_2-1678135962322.png

 

Site A:
Creating  the firewall policy From SSL tunnel to IPsec tunnel toward the remote site without NAT.

Dhg_3-1678136048631.png

 

Site A:

 

The route to go toward the IPsec tunnel of the remote subnet.

 

Dhg_4-1678136129720.jpeg

 

 

Site B :

 

Route destination toward the SSL subnet from Site A, with IPsec tunnel interface:

Dhg_5-1678136187904.jpeg

If you are seen something strange in my configuration, please let me know !

 

Merci beaucoup.

D-hg
New Contributor III

I resolved the issue ! In the site B, Adding the SSL VPN Range ip in the firewall policy coming from the ipsec tunnel (source), the route as said by Julien and I forgot to add the phase 2 selectors in the site B also ! Many thanks for your help

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors