Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
blanni
New Contributor

SSL VPN - Route assigned to client

Hi, I' ve inherited a Fortigate 80C from a previous admin. SSL VPN (Tunnel-Mode) for remote clients is configured and working well. When clients log on to the SSL VPN tunnel, they are automatically assigned a route in their local routing table to access our internal network (192.168.10.0/24) and eveything works fine. I now need to add a new internal network subnet (192.168.20.0/24) for the remote clients to get access to. I' ve created a new ssl.root -> LAN policy allowing the SSL VPN clients to access the new subnet on the internal network, the problem is that when clients connect, they are still only provided with a route to 192.168.10.0/24 in their local routing table. The route to 192.168.20.0/24 is not being automatically created, so the client can' t access that subnet. I' ve been through the SSL VPN docs and can' t find the details anywhere for specifying the internal network routes that get assigned to the clients. I assumed that the SSL-VPN policy would have taken care of this bu apparently not. Can anyone help? Thanks
15 REPLIES 15
rwpatterson
Valued Contributor III

Welcome to the forums. Are you using Forticlient or the web interface for SSL VPN connection?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
blanni
New Contributor

Hi Bob, Thanks for the reply. I' m using the web portal for the connection. Thanks
rwpatterson
Valued Contributor III

Basically, all you should need to do is add the policy. Also if the second subnet is remote to the FGT, a static route must be in place.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Federico_Vecchiatti
New Contributor II

The route for the SSL VPN tunnel are defined in the Portal rule that you configure on the Internet - LAN interface (ie, the rule that bind the SSL-VPN policy to the portal). If you enable connection from Any to LAN1 and LAN1 the route to LAN1 and LAN2 will be enabled on the client when the SSL VPN tunnel start. The ssl.root -> LAN policy act as pure firewall rule. Bye.
rwpatterson

ORIGINAL: Federico Vecchiatti The route for the SSL VPN tunnel are defined in the Portal rule that you configure on the Internet - LAN interface (ie, the rule that bind the SSL-VPN policy to the portal). If you enable connection from Any to LAN1 and LAN1 the route to LAN1 and LAN2 will be enabled on the client when the SSL VPN tunnel start. The ssl.root -> LAN policy act as pure firewall rule. Bye.
What?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson
Valued Contributor III

Is the new subnet local to the Fortigate or remote (across another router/firewall)?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
blanni
New Contributor

Hi Guys, Thanks for looking at this. Hi Federico - Could you tell me where to go in the web interface? I' ve been through all of the options under VPN -> SSL and can' t find anything that allows me to set binding rules. Hi Bob - The second subnet is routed via another router on the LAN side of the Fortigate. The routing is in place (I can ping addresses on the second subnet from the Fortigate CLI).
blanni
New Contributor

OK, I' ve found out some more info on this. I looked again at the ssl -> LAN policy and noticed that the ' Action' was set to Allow instead of SSL-VPN If I change the Action to SSL-VPN and reconnect the client, it does indeed receive routes to both subnets BUT all communication from the SSL client to internal LAN stops working. Any idea why I would be able to successfully communicate with the internal LAN (albeit only one subnet!) when the action is set to Allow, but not when the action is set to SSL-VPN? Thanks
rwpatterson
Valued Contributor III

If the VPN is in interface mode, then the action is truly ' ACCEPT' . ' SSL-VPN' (action = ' ENCRYPT' ) is for policy mode tunnels. The two modes are not interchangeable. Chances are that the IP address of the SSL VPN is not allowed across the second WAN VPN link. The way I would solve this is to create an IP pool with a single address from the LAN subnet that' s not being used, and attach it to the ' SSL-VPN -> remote' subnet policy. This would source NAT the SSL-VPN traffic to appear to originate from the LAN, which already has permission to cross that leg.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Labels
Top Kudoed Authors