Fortigate as SSL VPN Client - Reverse Path routing possible?
I have setup a FortiGate 40F as a SSL VPN Client behind a StarLink CGNAT connection to a FortiGate 40F on a normal public IP connection, because StarLink is problematic with IPSEC VPN and I wasn't able to get dialup NAT-T to work...
[FG 40F - Site1 - Public IP] WAN: 22.214.171.124 FortiGate IP: 192.168.12.1 Local LAN Subnet: 192.168.12.0/24 SSL VPN Server, SSL IP VPN Pool: 10.212.134.200 - 10.212.134.210 No VPN static routes
Firewall Policy (ssl.root) to (lan) allowed and (lan) to (ssl.root) allowed
[FG 40F - Site2 - CGNAT] WAN: CGNAT Restricted FortiGate IP: 172.20.0.1 Local LAN Subnet: 172.20.0.0/16 SSL VPN Client connected to Site 2 - assigned SSL VPN IP 10.212.134.200 No static routes for VPN or Firewall Policies
I can succesfully ping 192.168.12.0/24 from Site2 with no issues and access any resources - as expected as a VPN Client of Site1...
BUT I can't ping anything from Site1 to Site2 e.g. the assigned IP 10.212.134.200 or 172.20.0.1 despite trying several combinations of firewall policies...
Has anyone tried to do reverse path routing with a dialup SSL VPN?? Is this possible?
Just an update - TAC Replied and it turns out that this is not supported, the traffic is one way only, quote
"As per checking, this is the expected behavior of FortiGate as SSL VPN Client. Only traffic sourcing on the FortiGate client will be allowed since the dynamic routes are only being added to the FortiGate client. This behavior is normal for a remote users connected via SSL VPN. "
I think it's because the SSL VPN client Fortigate gets one single IP from the server, just like any other SSL VPN client device, and everything behind of it is NATed with the IP. So anything behind the server FortiGate wouldn't be able to see the local subnets on the client side.
I'm wondering what would happen if a unicast routing protocol like BGP is set up between the server and the client IP (the server has to assign a specific IP to that particular client, which might not be possible with SSL VPN server config), then advertise the client side subnets to the server side.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.