- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL VPN - Route assigned to client
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN - Route assigned to client
Hi,
I' ve inherited a Fortigate 80C from a previous admin. SSL VPN (Tunnel-Mode) for remote clients is configured and working well.
When clients log on to the SSL VPN tunnel, they are automatically assigned a route in their local routing table to access our internal network (192.168.10.0/24) and eveything works fine.
I now need to add a new internal network subnet (192.168.20.0/24) for the remote clients to get access to. I' ve created a new ssl.root -> LAN policy allowing the SSL VPN clients to access the new subnet on the internal network, the problem is that when clients connect, they are still only provided with a route to 192.168.10.0/24 in their local routing table. The route to 192.168.20.0/24 is not being automatically created, so the client can' t access that subnet.
I' ve been through the SSL VPN docs and can' t find the details anywhere for specifying the internal network routes that get assigned to the clients. I assumed that the SSL-VPN policy would have taken care of this bu apparently not.
Can anyone help?
Thanks
- « Previous
-
- 1
- 2
- Next »
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I know where I was going wrong now. I' ve managed to crack it with another read through the Fortinet SSL VPN documentation.
I think the first mistake I made was that the ssl -> LAN policy was set to ' ACCEPT' instead of ' SSL-VPN' as detailed in a previous post. When I changed this to ' SSL-VPN' , the routes were advertised to the client as expected.
The reason I then couldn' t access any resources on the internal LAN is that you also need an ' ACCEPT' policy in addition to the ' SSL-VPN' policy.
Apparently for a tunnel mode VPN, the first (SSL-VPN) policy sets up the authentication / client routing, and the second (ACCEPT) policy actually allows the traffic to pass from the client to the internal LAN. All this is in the SSL VPN documentation, but I obviously missed it!
Looks like if you only have the ACCEPT policy, the VPN connection sort-of works, but the routes are not advertised to clients.
I now have both policies in place and everything is working well!
Thanks for your help.
**EDIT** I think all of this is exactly what Federico was getting at in his earlier post.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using policy based tunnels?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: blanni I now have both policies in place and everything is working well!That' s strange. You don' t actually need to use an extra ACCEPT policy for SSL VPN traffic, unless there are some kind of firmware bug?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: blanni I now have both policies in place and everything is working well!That' s strange. You don' t actually need to use an extra ACCEPT policy for SSL VPN traffic, unless there are some kind of firmware bug?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: blanni **EDIT** I think all of this is exactly what Federico was getting at in his earlier post.Ok, my english is not so good, but that was the info ... Remote routing is configured by the Internet - PortXX rule (with Action SSL_VPN). When you configure the policy with an ANY to LAN1 you are allowing connection to LAN1 from the SSL portal but you are also " passing" LAN1 route to the remote client (if it connect with the VPN client ..). With the ssl.root - PortXX rule (with ACCEPT) you allow the traffic from the VPN ssl client. If you don' t need Portal Access VPN, just add only ping as the service in the SSL portal that you bind to the SSL VPN rule (so if the user connect to the SSL portal instead of using the SSL VPN client, he cannot bypass the ssl.root - PortXX rule). Bye !
Created on 02-08-2013 07:14 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For what it' s worth, I don' t use the ' any' interface. I lock my units down more than that, so my traffic is from WAN -> SSL.root -> inside port(s). There is now way traffic could bypass the ssl.root interface and get anywhere. Still takes 2 policies, but I know who/what/where all the traffic is allowed to go.
My 2 cents
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Force the routing of a domain... 55 Views
- IPSec client is blocked by implicit... 377 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 236 Views
- Automatically Ban Malicious Inbound IPs using... 197 Views
- "Error writing to SSL connection" with... 238 Views
Labels
-
FortiGate
6,503 -
FortiClient
1,299 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
261 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.