Hi,
I have setup a FortiGate 40F as a SSL VPN Client behind a StarLink CGNAT connection to a FortiGate 40F on a normal public IP connection, because StarLink is problematic with IPSEC VPN and I wasn't able to get dialup NAT-T to work...
[FG 40F - Site1 - Public IP]
WAN: 1.1.1.1
FortiGate IP: 192.168.12.1
Local LAN Subnet: 192.168.12.0/24
SSL VPN Server, SSL IP VPN Pool: 10.212.134.200 - 10.212.134.210
No VPN static routes
Firewall Policy (ssl.root) to (lan) allowed
and (lan) to (ssl.root) allowed
[FG 40F - Site2 - CGNAT]
WAN: CGNAT Restricted
FortiGate IP: 172.20.0.1
Local LAN Subnet: 172.20.0.0/16
SSL VPN Client connected to Site 2 - assigned SSL VPN IP 10.212.134.200
No static routes for VPN or Firewall Policies
I can succesfully ping 192.168.12.0/24 from Site2 with no issues and access any resources - as expected as a VPN Client of Site1...
BUT I can't ping anything from Site1 to Site2 e.g. the assigned IP 10.212.134.200 or 172.20.0.1 despite trying several combinations of firewall policies...
Has anyone tried to do reverse path routing with a dialup SSL VPN?? Is this possible?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Just an update - TAC Replied and it turns out that this is not supported, the traffic is one way only, quote
"As per checking, this is the expected behavior of FortiGate as SSL VPN Client. Only traffic sourcing on the FortiGate client will be allowed since the dynamic routes are only being added to the FortiGate client. This behavior is normal for a remote users connected via SSL VPN. "
I think it's because the SSL VPN client Fortigate gets one single IP from the server, just like any other SSL VPN client device, and everything behind of it is NATed with the IP. So anything behind the server FortiGate wouldn't be able to see the local subnets on the client side.
I'm wondering what would happen if a unicast routing protocol like BGP is set up between the server and the client IP (the server has to assign a specific IP to that particular client, which might not be possible with SSL VPN server config), then advertise the client side subnets to the server side.
Likely a new feature request though.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.