Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
silvajo76
New Contributor

Created on ‎12-21-2021 04:04 AM

IPSEC VPN Tunnel - Cannot access both Fortigates

Hello everyone,

This is my first post on this forum. I hope I can come to contribute, but right now I need your help.

I have an IPSEC tunnel configured between two fortigates (61F and 40F). The tunnel is up with both phases (1 and 2) up. The ftg 61F has the ip 10.2.10.254/24 on the lan interface and the ftg 40F has the ip 10.1.10.254/24 on the lan interface. I can ping from one fortigate to another just by indicating the ping-options source ip. On ftg 61F I have an SSL VPN configured and I can access ftg 61F (10.2.10.254) via http, but I can't access the fortigate 40F via http. Any suggestion?

Labels:
3830
0 Kudos
7 REPLIES 7
Debbie_FTNT
Staff
Staff

Created on ‎12-21-2021 04:39 AM

Hey silvajo,

welcome to the Forums :).

Regarding accessing your FGT40F from SSLVPN, the connection goes something like this, correct?
client -> sslvpn tunnel -> 61F -> IPSec -> 40F
Check the following:
1. you have a policy from ssl.root to IPSec on the 61F (with destination the 40F IP)
->I would strongly suggest to enable NAT here, and NAT to an IP in the 10.2.10.254/24 range; this might require creation of an IP pool
-> that way, the SSLVPN tunnel IP is NATed to a LAN IP on the 61F and can enter IPSec without changes to P2 Selectors in the IPSec tunnel
2. If you don't want to NAT the traffic on 61F, do the following:
-> add SSLVPN tunnel range to the P2 Selectors
-> on the 40F, ensure there is a route back for the SSLVPN tunnel range through IPSec tunnel

 

Additionally, if your SSLVPN setup is with split-tunneling enabled, ensure that the 40F IP is added as a destination in the split-tunneling setup

And lastly - I would recommend admin access via https, not http :)

 

I hope this gives you a place to start.

Cheers!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
3785
silvajo76
New Contributor

Created on ‎12-24-2021 09:21 AM

Hello Debbie, 

Many thanks for the reply. I've already set up the policy with the given indications, but even so, I can't get to the branch's fortigate (40F). Please see attached images.

 

PolicyPolicyIP POOLIP POOL

 

Any suggestion?

 

Best wishes for a great Christmas :)

 

3743
0 Kudos
silvajo76
New Contributor

Created on ‎12-24-2021 09:23 AM Edited on ‎12-24-2021 09:36 AM

I forgot to mention.... my tunnel FILIAL->SEDE is BRANCH (61F) -> HEADQUARTERS (40F).

 

And i do not have traffic in the tunnel...

img4.jpg

3739
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎12-24-2021 10:17 AM

You're using the same subnet range with Sede side for NAT outside IPs for the SSL VPN access to Sede, which is conflicting. (10.1.10.0/24->10.1.10.0/24)

What Debbie is suggesting is to grab/reserve one IP in Filial's 10.2.10.0/24 and use it for the NAT. So all SSL VPN clients to Sede has 10.2.10.x -> 10.1.10.0/24, which is already included in your IPSec phase2 network selector sets. Unless you need to access back from Sede side to each Filial-connected SSL VPN client, just one NAT IP wouldn't cause a problem.

 

Toshi

3729
Debbie_FTNT
Staff
Staff
In response to Toshi_Esumi

Created on ‎12-25-2021 12:31 AM

Thank you for clarifying my intended solution, Toshi :)

@silvajo, exactly as Toshi noted, I meant to suggest using an IP from the LAN side of your 40F to go into the tunnel, my apologies if this was unclear

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
3717
silvajo761
New Contributor

Created on ‎12-26-2021 09:57 AM Edited on ‎12-26-2021 10:12 AM

Hi. Thank you very much for your answers and sorry but I'm new to this stuff.
Recap:
Headquarters Network - 10.1.10.0/24
Branch Network - 10.2.10.0/24

 

On my 61F Policy i have this config.

 

img5.jpg

 

Incoming Interface: SSL-VPN Connetion

Outgoing interface: FILIAL_TO_SEDE (tunnel between 61F and 40F)

 

 

 

Yours Sugestions

"grab/reserve one IP in Filial's 10.2.10.0/24 and use it for the NAT" or " I meant to suggest using an IP from the LAN side of your 40F to go into the tunnel"

 

Firewall /Network Options

NAT: Enable

IP POOL: what ip pool should i define here? How can a reserve an ip? This ip sould be from de 61f subnet (10.2.10.0/24) or from the 40f subnet (10.1.10.0/24)?

3697
0 Kudos
Debbie_FTNT
Staff
Staff
In response to silvajo761

Created on ‎12-28-2021 02:33 AM Edited on ‎12-28-2021 02:35 AM

Hey silvajo,

 

thanks for the screenshot, very useful :).

For NAT - create an IP from the 61f subnet, 10.2.10.0/24 (10.2.10.250-10.2.10.250 for example, just the one IP), and use that pool in the policy.

Regarding reserving an IP - if FortiGate serves as your DHCP server on the lan interface, just set the range to only go up to .249 for example, so that .250 can't be assigned. If you have an external DHCP server, make sure the IP you use for NAT here can't accidentally be given to a DHCP client.

Regarding the policy:
- question: as source you have sslvpn interface (correct) and LAN subnet. I wonder at the LAN subnet here. As source in sslvpn interface, you will usually want whatever IPs you use in the SSLVPN tunnel settings (by default SSLVPN_TUNNEL_ADDR address)

 

also - we were under the impression your setup was sslvpn -> 40F -> ipsec -> 61F, not sslvpn -> 61F -> ipsec -> 40F, our apologies. if your 61F is the bridge between sslvpn and IPsec, you will want to set up NAT with 61F lan IP.

 

Cheers!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
3653
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.