Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hassan4mz
New Contributor

Created on ‎08-07-2022 02:39 AM Edited on ‎08-07-2022 03:09 AM

SSL VPN routing back Fortigate to fortigate (site to site )

Greetings!

kindly as Example in the link bolw i try to connect Fortigate to fortigate (site to site ) via ssl-vpn

(isp is blocking the ipsec)

the issue is i can't reach the forti ssl vpn client subnet as picture below

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/508779/fortigate-as-ssl-vpn-client

 

forigate.png

 

this is debug  with nat

___________________________________

id=65308 trace_id=501 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 41.XX.XXX.XXX:60419->22.0.0.2:2048) tun_id=0.0.0.0 from vpn2. type=8, code=0, id=60419, seq=5983."
id=65308 trace_id=501 func=init_ip_session_common line=6076 msg="allocate a new session-001225cf, tun_id=0.0.0.0"
id=65308 trace_id=501 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-22.0.0.2 via root"
id=65308 trace_id=501 func=fw_local_in_handler line=522 msg="iprope_in_check() check failed on policy 0, drop"

______________________________________

this is debug  without  nat

id=65308 trace_id=505 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 192.168.75.113:3->22.0.0.2:2048) tun_id=0.0.0.0 from vpn2. type=8, code=0, id=3, seq=5994."
id=65308 trace_id=505 func=init_ip_session_common line=6076 msg="allocate a new session-00122799, tun_id=0.0.0.0"
id=65308 trace_id=505 func=vf_ip_route_input_common line=2605 msg="find a route: flag=84000000 gw-22.0.0.2 via root"
id=65308 trace_id=505 func=fw_local_in_handler line=522 msg="iprope_in_check() check failed on policy 0, drop"

 

thank you

Labels:
708
0 Kudos
2 REPLIES 2
Yurisk
SuperUser
SuperUser

Created on ‎08-07-2022 08:39 AM

"check failed on policy 0, drop"" basically means that there is no matching Security rule for this traffic. The example you use mentions creating policy in one direction only - from VPN SSL client to the other side. For bidirectional traffic you will need to create a mirrored security policy as well, with (as per example):

 

Incoming Interface: sslclient_port1

Outgoing interface: port2

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
680
0 Kudos
hassan4mz
New Contributor

Created on ‎08-08-2022 12:13 AM

I did already in policy in and out but still same issue i think the problems in ssl-vpn interface (client ) not reverse the route

 

ssl.jpg

 

649
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.