Hello All,
i am a new Fortigate User.
We have configure on our Fortigate Version 7.07 2 VPN Access.
One over SSL VPN, and one over IPSec.
Additional we have an Tunnel VPN between our Company and an other Company over IPsec.
Now in the past, we have physical access from an other company on a local port. After changing the access from directly, to IPSEC we have a little bit trouble with the access.
Both VPN connection for our employeys (SSL VPN & IPSec) must have access to the additional VPN IPsec Connection from our Company Partner.
They must have access to Webserver. So we have a explicit Proxy for our internal Network, all Traffic is outgoing to a ZScaler Server, only the webadresses from our Partner Company are excepted. Internal, and per SSL VPN all traffic works fine.
But after the changeover from the connected Partner Company, the accesss to the Webserver not possible.
I can see in the traffic log, that the connection from IPsec Netzwork is outgoing over the wrong interface.
The traffic for the exceptions for the webproxy is not working.
SSLVPN works fine
IPsec works internal fine, but the exception from the proxy.pac is not used.
I think i canot a route, the ipsec musst have access to the internel ressources. Only in the webproxy defined expections must route the traffic to the additional neu IPsec .
I hope anyone can help me.
Regards
Stefan
Hello Stefan,
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
Hello Stefan,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Hi Stefan,
your setup and history sounds complicated. It will help to visualize the setup. Not necessarily for us, but generally. Apart from the explicit proxy it sounds like routing problems. Either the end users/site are missing the routes or the FortiGate is.
On the IPsec tunnel in the phase2 config, do make sure that the FortiGate has its own networks listed, the ones that have to be reachable from the other IPsec endpoint. Routes are there done automatic.
Important: If the networks/subnets are not overlapping(!) you can simply create static routes on the FortiGate to go to the certain interfaces for specific subnets.
Overlapping subnets as some historically grown and merged environments might have, are problematic and should be avoided. Routing is not easy and if the networks grow, maintenance on these is getting harder.
What will help on the CLI is to monitor the traffic and from the client to create traffic - icmp/ping
As such on the CLI you can run
diag sniff packet any 'icmp' 4 0 a
It will show you on which interface traffic is received, what are the addresses (src/dst) and the interface traffic is leaving again (provided you have a fitting firewall policy in place). NAT on the FW policy might be tricky and usually not needed as the traffic in internal networks (tunnels are internal) is considered routable.
Hope this helps for starting.
Best regards,
Markus
Hey Markus,
thank you very much for your answer. Now I think we have found the problem. After I corrected the routing addresses, I could see that our traffic is sent through the correct connection port. But the other side did not allow the traffic from the complete sub net. SSL VPN and IPSec are configured on the same sub net, but the other side only has a part from that sub net in its routing table and allowed policies. So I opened a support ticket and hope that the problem will be solved.
Thanks a lot!
Best regards,
Stefan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.