Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BusinessUser
Contributor

How Do you create an ssl interface?

Let me explain.

Users SSL VPN into firewall A.

Firewall A send the traffic to firewall B via a site to site vpn.

So I have to configure an SSL VPN interface on firewall B to accept the traffic from A.

How do I do it?

1 Solution
funkylicious
SuperUser
SuperUser

Hi,

No, there's no need to create a SSL interface.

On firewall A you need : srcintf ( ssl interface ) dstintf ( ipsec tunnel ) srcaddr ( vpn group / vpn pool ) dstaddr ( subnet on firewall B )

On firewall B you beed : srcintf ( ipsec tunnel ) dstintf ( interface for the local subnet to be reached by the users ) srcaddr ( sslvpn pool ) dstaddr ( local subnet ) 

"jack of all trades, master of none"

View solution in original post

"jack of all trades, master of none"
4 REPLIES 4
AEK
SuperUser
SuperUser

AEK
funkylicious
SuperUser
SuperUser

Hi,

No, there's no need to create a SSL interface.

On firewall A you need : srcintf ( ssl interface ) dstintf ( ipsec tunnel ) srcaddr ( vpn group / vpn pool ) dstaddr ( subnet on firewall B )

On firewall B you beed : srcintf ( ipsec tunnel ) dstintf ( interface for the local subnet to be reached by the users ) srcaddr ( sslvpn pool ) dstaddr ( local subnet ) 

"jack of all trades, master of none"
"jack of all trades, master of none"
hbac
Staff
Staff

Hi @BusinessUser,

 

On both firewalls, you need to add SSLVPN subnet to phase2 selectors of the IPsec tunnel and also add it to the firewall policy accordingly. Please refer to the document shared by AEK. 

 

Regards, 

mle2802
Staff
Staff

Hi @BusinessUser,

Make sure you add the SSL VPN subnet to P2 and have policy as well as routing accordingly. You can use the following command for troubleshooting also:

diag debug reset
diag debug flow filter addr x.x.x.x (SSL VPN IP)
diag debug flow show ip en
diag debug flow show func en
diag debug console time ena
diag debug ena
diag debug flow trace start 999

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors