Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

How to access remote ressource via IPsec Site-to-Site for SSL VPN user



We have set up a Site-to-Site VPN tunnel between 2 FortiGate, the IPsec VPN tunnel works very well.


We also have an SSL VPN on the FortiGate A and FortiGate B.


This is restrictive for users who telecommute, they must use one of the 2 SSL connections to access the resources of FortiGate A or FortiGate B.


Ideally, from the FortiGate A SSL VPN connection, we will want to include access to FortiGate B resources.


I have followed the procedure, but It's not working (pings don't respond, same for traceroutes even if it gets logs) :


Thank you in advance for your help.


I can post the network topology if needed, even if it will strongly resemble the one in the procedure.


Hello David,


The simplest way to implement this would be to use a SNAT address from the IPSec tunnel local phase2 selectors, as this already works for you. If you would like a different solution, let me know so we can discuss it.




Aleksandar Nikolov

Hello Anikolov,


Thanks for your feedback, I tried with the SNAT address method but it didn't work.

What other solutions could I try?




Without SNAT, you need to make sure that 2 SSLVPNs are using different subnet for clients. Then you can add the SSLVPN subnet into ipsec as a source selector with correct destination selectors. If you are using wildcard selectors, you just need to make sure that on FortiGate B you have correct route for SSLVPN subnet from FortiGate A via tunnel (to avoid RPF). And then firewall policy on FortiGate A from ssl.root towards ipsec tunnel is needed. If you did this (or with SNAT) and it is not working, run debug flows on both devices and check where the traffic stops.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors