We have a site-site IPSEC tunnel setup reciprocating traffic between SiteA 192.168.1.0 and SiteB 192.168.3.0.
SSL VPN user gets an ip 192.168.1.240 at SiteA but no traffic is allowed to Site B. IPSEC VPN works fine.
I tried making a policy from ssl.root > 192.168.3.0...no dice
Static route from ssl.root > 192.168.3.0...no dice
Policy route from ssl.root > 192.168.3.0...nope
What are we missing?
SSL VPN is a separate interface, but it shares the subnet of the main interface at site A (assuming class C network). This may be the stem of your issue. SSL VPN should have a unique IP subnet from any others.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Thanks - I just changed the IP range in SSLVPN_TUNNEL_ADDR1 to a 10.0.0.1 ip range..same issue. Traffic is still stuck exclusively on the 1.x subnet.
Does the phase 2 selector on the VPN cover the subnet 10.0.0.x? If it does not, you could create an IP pool with a single valid IP address from the internal interface and apply it to the VPN policy as a test.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
I assume you're referring to the site-site tunnel (p2 config attached). But yes, it should be covering the subnet since it's configured for 0.0.0.0 (source) and destination is the 3.x subnet we are trying to access via SSL VPN. I manually went in and specified 10.0.0.1 instead and still same result. :\
Marklar wrote:In my opinion, here is the time to start the packet level sniffing to see where the traffic breaks down. If you do have the correct policies and routes set up in the remote device, then start the sniffer traces.I assume you're referring to the site-site tunnel (p2 config attached). But yes, it should be covering the subnet since it's configured for 0.0.0.0 (source) and destination is the 3.x subnet we are trying to access via SSL VPN. I manually went in and specified 10.0.0.1 instead and still same result. :\
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
How is the SSLVPN tunnel configured?
Do you use split tunneling? If yes, have you configured the remote network in the portal/Settings?
Marklar wrote:I assume you're referring to the site-site tunnel (p2 config attached). But yes, it should be covering the subnet since it's configured for 0.0.0.0 (source) and destination is the 3.x subnet we are trying to access via SSL VPN. I manually went in and specified 10.0.0.1 instead and still same result. :\
Do you have a route back from the other side to the local 10.0.0.0 network?
Does the traffic find its way back through the tunnel?
Try to activate NAT in the policy from ssl.root to the destination network and see what happens.
Just so it's documented, I opened a ticket on this one and it was configured correctly. The issue was something that had to be enabled in the CLI - though Fortinet support agreed it should have been working as I had it set. Here is what they had to do:
config firewall policy
edit 14 (that was the policy which referenced the ssl.root source > wan1 > 192.168.3.x destination config)
set outbound en
= done.
..For some reason inbound was enabled and outbound was set to disabled in that policy. Took support about an hour to figure out.
I'd have never found that one!
Either way, that did it..no explanation why it was disabled in the first place, but whatever.
Thanks for all the help!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.