I am running FortiGate in AWS. I have users who will be using SSL VPN (no natting).
I have many hosts I need to reach over SSL-VPN in AWS that are accessed via a TransitGateway. The TransitGateway has the route of 10.0.0.0/8. However, when I am trying to access some of the servers the packets are not making it back to the FortiGate Firewall.
Does anyone know if I should create a route for the TransitGateway propagating the SSL-VPN pool IPs?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
First you need to find where the route is missing then add it at the right place (at Transit Gateway level or at clients level).
I guess your SSLVPN range is 10.x.x.x. You said Transit Gateway has the route of 10.0.0.0/8, but through which interface? Towards the interface connected to FortiGate or to the clients? in case to the clients then you probably need to add a route to SSLVPN subnet through the interface connected FortiGate.
My question was not how to create the route tables. That I know how to do. The question is should I need to create it?
First you need to find where the route is missing then add it at the right place (at Transit Gateway level or at clients level).
I guess your SSLVPN range is 10.x.x.x. You said Transit Gateway has the route of 10.0.0.0/8, but through which interface? Towards the interface connected to FortiGate or to the clients? in case to the clients then you probably need to add a route to SSLVPN subnet through the interface connected FortiGate.
Let me see if I got it. VIA tcpdump I can prove I am hitting the end points. But I am not seeing the traffic make it back to the SSL VPN connection. So what you are saying is I need a route on the Fortigate pointing the traffic from the endpoints back to the SSL-VPN (I am guessing ssl.root since thats the interface).
Does that sound about right?
No you don't need a route on FortiGate since SSL VPN client's packets are reaching the AWS hosts.
You may need route on clients or on Transit Gateway.
What I have is an AWS Organization which is composed of many accounts in AWS connected together. Sadly, if you open a ticket with AWS support they are only able to look at the account the ticket was opened in. My original ticket was opened in the account where the Transit Gateways exist. But the FortiGates are in a different account. Support asked me to open a ticket in the account where the FortiGates exist too so they could see both sides of the Transit Gateway.
Initially I created a route on the Transit Gateway telling it that the route for my VPN Clients could be found on Transit Gateway attachment XYZ. So that took the packets to the correct VPC but then it was lost. Support then had me add a route for the VPN Clients in the VPC pointing to the ENI of the Fortigate.
After creating this everything worked.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.