- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL, IPSEC,GRE routing
Hi
I'm struggling with routing issue. We have IPSEC tunnel over gre to parter Cisco routers. For that we needed to crate overlapping ip address interface for IPSEC. Now i have /29 for main WAN connection and /32 for IPSEC interface. In general everything works fine but if we need to access WAN interface IP from internal network (over routing) then /32 connected interface is the best match. In our case it is IPSEC vpn. But that will not work for SSL clients.
So from internal network we can not use same profile as we would use over internet for SSLVPN. It is bit confusing for end user as some of the resources are accessible only over SSL VPN.
Is there a trick to allow traffic from internal networks to wan interface if there is a better route available (/32 rules over /29 connected interface)?
#SSL #IPSEC #GRE
- Labels:
-
FortiClient
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing behaviour can be changed by modifying priority and distance. You can follow the KB below to understand the behaviour
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately that will affect static routes. In my case both are connected routes so in routing table both appear generated automatically with priority and distance as "0"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear MaitM,
You can try with policy routing . As a source you can configure the source IP addresses from your internal network, as a destination interface the WAN interface.
Useful KB-> https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried out that one but did not help. Not sure but I believe the policy route will not be used as the traffic has local devices as destination.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear MaitM ,
Can you share something about the routing, did you check with debug flow how traffic is flowing from ssl to your WAN interface?
diagnose debug reset
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug flow filter saddr x.x.x.x <---- SSL source IP
diagnose debug console timestamp enable
diagnose debug flow trace start 9999
diagnose debug enable
diag sys session filter src x.x.x.x <---- SSL source IP
diag sys session list
![](/skins/images/03B6F9D09B0B73D4E0068FD5D5412A2D/responsive_peak/images/icon_anonymous_message.png)