Hello,
From the LAN, users connect to Server1
Policy: From: LAN To: VPN-IPsec(Company Branch) Des: Server1
Remote users connect to the LAN via VPN-SSL
How to build a policy so that users can connect to Server1 via VPN-SLL -> LAN -->VPN-IPsec ?
(FortiGate80E v6.4.8)
I am trying various solutions, but they do not work
I am counting on your help.
Thank you
1. is your objective is ssl vpn remote user can connet to server1 behind ipsec vpn locate in company branch?
2. is your sslvpn and your ipsec already working individually?
Ad1 - The remote user connects to the LAN (to the company) via VPN-SSL - this works. If he works in the company, he accesses Server1 from the LAN via a VPN IPsec inter-company tunnel - this also works.
Now I need to set up such traffic so that the remote user connects to Server1
Ad 2 - Yes, they work separately.
Hey Tomek,
you should be able to do a policy from SSLVPN tunnel to IPSec tunnel directly to allow the VPN users access to server1.
You would need the following in place:
- routing to/from SSLVPN and server1 (server1 has a route to SSLVPN, SSLVPN has a route to server1)
- add SSLVPN tunnel IPs to phase2 selectors in IPSec
- policies to allow traffic in both directions
You can check this forum thread on a similar SSLVPN to IPSec site-to-site setup:
https://community.fortinet.com/t5/Fortinet-Forum/SSLVPN-traffic-over-IPsec-tunnel/m-p/205265
1. Include sslvpn remote user IP address (the one given by fortigate) to the ipsec phase2 selector in both side.
2. create policy (both direction if needed)
src interface: sslvpn interface
dst interface: ipsec interface
src addr: sslvpn remote user ip address
src user: sslvpn username/user group
dst addr: ipsec remote network (Compny Branch network)
action: accept.
I still have questions ?
1) Do I need to create an entry in Static Routes ? If so, which one ?
2) Do I have to add the address entry in phase two, in the VPN IPSec configuration also on the FG on the other side ?
ad1. you should add static route on the other side FG. Static route to sslvpn remote ip.
ad2. ip address of sslvpn remote user? yes, you have add on both side ipsec phase2 selector
Hi All,
I will check your solutions and let you know.
Thank you
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.