IPsec VPN issue between incoming and outcoming vpn traffic
i am a new Fortigate User.
We have configure on our Fortigate Version 7.07 2 VPN Access. One over SSL VPN, and one over IPSec.
Additional we have an Tunnel VPN between our Company and an other Company over IPsec.
Now in the past, we have physical access from an other company on a local port. After changing the access from directly, to IPSEC we have a little bit trouble with the access.
Both VPN connection for our employeys (SSL VPN & IPSec) must have access to the additional VPN IPsec Connection from our Company Partner.
They must have access to Webserver. So we have a explicit Proxy for our internal Network, all Traffic is outgoing to a ZScaler Server, only the webadresses from our Partner Company are excepted. Internal, and per SSL VPN all traffic works fine.
But after the changeover from the connected Partner Company, the accesss to the Webserver not possible. I can see in the traffic log, that the connection from IPsec Netzwork is outgoing over the wrong interface.
The traffic for the exceptions for the webproxy is not working.
SSLVPN works fine IPsec works internal fine, but the exception from the proxy.pac is not used.
I think i canot a route, the ipsec musst have access to the internel ressources. Only in the webproxy defined expections must route the traffic to the additional neu IPsec .
your setup and history sounds complicated. It will help to visualize the setup. Not necessarily for us, but generally. Apart from the explicit proxy it sounds like routing problems. Either the end users/site are missing the routes or the FortiGate is.
On the IPsec tunnel in the phase2 config, do make sure that the FortiGate has its own networks listed, the ones that have to be reachable from the other IPsec endpoint. Routes are there done automatic.
Important: If the networks/subnets are not overlapping(!) you can simply create static routes on the FortiGate to go to the certain interfaces for specific subnets.
Overlapping subnets as some historically grown and merged environments might have, are problematic and should be avoided. Routing is not easy and if the networks grow, maintenance on these is getting harder.
What will help on the CLI is to monitor the traffic and from the client to create traffic - icmp/ping
As such on the CLI you can run
diag sniff packet any 'icmp' 4 0 a
It will show you on which interface traffic is received, what are the addresses (src/dst) and the interface traffic is leaving again (provided you have a fitting firewall policy in place). NAT on the FW policy might be tricky and usually not needed as the traffic in internal networks (tunnels are internal) is considered routable.
thank you very much for your answer. Now I think we have found the problem. After I corrected the routing addresses, I could see that our traffic is sent through the correct connection port. But the other side did not allow the traffic from the complete sub net. SSL VPN and IPSec are configured on the same sub net, but the other side only has a part from that sub net in its routing table and allowed policies. So I opened a support ticket and hope that the problem will be solved.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.