Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
whatfirewall
New Contributor

Fortigate as SSL VPN Client - Reverse Path routing possible?

Hi,

I have setup a FortiGate 40F as a SSL VPN Client behind a StarLink CGNAT connection to a FortiGate 40F on a normal public IP connection, because StarLink is problematic with IPSEC VPN and I wasn't able to get dialup NAT-T to work...

 

[FG 40F - Site1 - Public IP]
WAN: 1.1.1.1
FortiGate IP: 192.168.12.1
Local LAN Subnet: 192.168.12.0/24
SSL VPN Server, SSL IP VPN Pool: 10.212.134.200 - 10.212.134.210
No VPN static routes

Firewall Policy (ssl.root) to (lan) allowed
and (lan) to (ssl.root) allowed

[FG 40F - Site2 - CGNAT]
WAN: CGNAT Restricted
FortiGate IP: 172.20.0.1
Local LAN Subnet: 172.20.0.0/16
SSL VPN Client connected to Site 2 - assigned SSL VPN IP 10.212.134.200
No static routes for VPN or Firewall Policies

 

I can succesfully ping 192.168.12.0/24 from Site2 with no issues and access any resources - as expected as a VPN Client of Site1...

 

BUT I can't ping anything from Site1 to Site2 e.g. the assigned IP 10.212.134.200 or 172.20.0.1 despite trying several combinations of firewall policies...

 

Has anyone tried to do reverse path routing with a dialup SSL VPN?? Is this possible?

 

 

 

 

2 REPLIES 2
whatfirewall
New Contributor

Just an update - TAC Replied and it turns out that this is not supported, the traffic is one way only, quote

"As per checking, this is the expected behavior of FortiGate as SSL VPN Client. Only traffic sourcing on the FortiGate client will be allowed since the dynamic routes are only being added to the FortiGate client. This behavior is normal for a remote users connected via SSL VPN. "

Toshi_Esumi
Esteemed Contributor III

I think it's because the SSL VPN client Fortigate gets one single IP from the server, just like any other SSL VPN client device, and everything behind of it is NATed with the IP. So anything behind the server FortiGate wouldn't be able to see the local subnets on the client side.

I'm wondering what would happen if a unicast routing protocol like BGP is set up between the server and the client IP (the server has to assign a specific IP to that particular client, which might not be possible with SSL VPN server config), then advertise the client side subnets to the server side.

Likely a new feature request though.

 

Toshi

Labels
Top Kudoed Authors