Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tomek-Banan
New Contributor II

From tunels to tunels

Hello,

From the LAN, users connect to Server1
Policy: From: LAN To: VPN-IPsec(Company Branch) Des: Server1

Remote users connect to the LAN via VPN-SSL

 

How to build a policy so that users can connect to Server1 via VPN-SLL -> LAN -->VPN-IPsec ?

(FortiGate80E v6.4.8)

 

I am trying various solutions, but they do not work
I am counting on your help.

 

Thank you

 

BR
Tomek
BRTomek
7 REPLIES 7
naibaho
New Contributor III

1. is your objective is ssl vpn remote user can connet to server1 behind ipsec vpn locate in company branch?

2. is your sslvpn and your ipsec already working individually?

best regard
best regard
Tomek-Banan
New Contributor II

Ad1 - The remote user connects to the LAN (to the company) via VPN-SSL - this works. If he works in the company, he accesses Server1 from the LAN via a VPN IPsec inter-company tunnel - this also works.

Now I need to set up such traffic so that the remote user connects to Server1

 

Ad 2 - Yes, they work separately.

 

BR
Tomek
BRTomek
Debbie_FTNT

Hey Tomek,

you should be able to do a policy from SSLVPN tunnel to IPSec tunnel directly to allow the VPN users access to server1.

You would need the following in place:
- routing to/from SSLVPN and server1 (server1 has a route to SSLVPN, SSLVPN has a route to server1)
- add SSLVPN tunnel IPs to phase2 selectors in IPSec

- policies to allow traffic in both directions

You can check this forum thread on a similar SSLVPN to IPSec site-to-site setup:

https://community.fortinet.com/t5/Fortinet-Forum/SSLVPN-traffic-over-IPsec-tunnel/m-p/205265

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
naibaho
New Contributor III

1. Include sslvpn remote user IP address (the one given by fortigate) to the ipsec phase2 selector in both side.

2. create policy (both direction if needed)

src interface: sslvpn interface

dst interface: ipsec interface

src addr: sslvpn remote user ip address

src user: sslvpn username/user group

dst addr: ipsec remote network (Compny Branch network)

action: accept.

best regard
best regard
Tomek-Banan
New Contributor II

I still have questions ?

1) Do I need to create an entry in Static Routes ? If so, which one ?

2) Do I have to add the address entry in phase two, in the VPN IPSec configuration also on the FG on the other side ?

BR
Tomek
BRTomek
naibaho
New Contributor III

ad1. you should add static route on the other side FG. Static route to sslvpn remote ip.

ad2. ip address of sslvpn remote user? yes, you have add on both side ipsec phase2 selector

 

 

best regard
best regard
Tomek-Banan
New Contributor II

Hi All, 

I will check your solutions and let you know.
Thank you

BR
Tomek
BRTomek
Labels
Top Kudoed Authors