Hello,
I'm running into one issue concerning a laptop connecting with SSL VPN to a FortiGate.
The setup makes use of OSPF routing. The default routing for all traffic goes thru FG-A.
FortiGate FG-B is the entry point for SSL VPN.
Since all traffic has a default route to FG-A, the laptop cannot make a connection to FG-B, because that traffic is routed to FG-A via the IPsec tunnel, and not back to where it came from, the laptop.
I want all traffic go thru FG-A since that one has security profiles.
When I make one static route for the laptop of FG-B, the result is good for a working SSL VPN for that laptop:
FG-B # diagnose sniffer packet any 'host 1.2.8.201'
interfaces=[any]
filters=[host 1.2.8.201]
8.234645 1.2.8.201.26381 -> 10.0.22.2.443: syn 2953506651
8.234830 10.0.22.2.443 -> 1.2.8.201.26381: syn 1439558356 ack 2953506652
8.272586 1.2.8.201.26381 -> 10.0.22.2.443: ack 1439558357
8.320566 1.2.8.201.26381 -> 10.0.22.2.443: fin 2953506652 ack 1439558357
8.320937 10.0.22.2.443 -> 1.2.8.201.26381: fin 1439558357 ack 2953506653
8.339497 1.2.8.201.26381 -> 10.0.22.2.443: ack 1439558358
8.389289 1.2.8.201.26382 -> 10.0.22.2.443: syn 3605904456
Without the static route for the laptop, the result is:
FG-B # diagnose sniffer packet any 'host 1.2.8.201'
interfaces=[any]
filters=[host 1.2.8.201]
16.222300 1.2.8.201.27042 -> 10.0.22.2.443: syn 3741587175
17.214982 1.2.8.201.27042 -> 10.0.22.2.443: syn 3741587175
19.233017 1.2.8.201.27042 -> 10.0.22.2.443: syn 3741587175
Since the laptop's IP address is constantly changing, due to providers, and most of the devices have unknown IP adresses, it's difficult to make static routes for those devices.
So my question is, how to make it possible, that devices from the internet can succesfully connect to the FortiGate FG2 listening to SSL-VPN connections?
With the current network set-up on the FG-B, I don't think this is possible.
My wild idea is to have another connection between the router (maybe lan2 interface) and FG-B (wan2?) then assign a different interconnect subnet. Then set the port forwarding at the router to lan2.
At the FG-B, I would try a lower-priority(high number) static default route to wan2 while wan1 has a higher static default route. With this set up all internet bound traffic from FG-B goes out wan1 while it still accepts and returns traffic to SSL VPNs.
This is just my theory and never tested myself. There maybe some fallouts in this theory.
But this wocky setup is unnecessary if you simply move SSL VPN to FG-A, which is the common way.
Toshi
FG-A is occupied with other port wardings.
Can't imaging that this wocky setup is the first in this world being used.
Created on 07-06-2023 08:20 AM Edited on 07-06-2023 08:30 AM
I would order additional IP from the ISP to make network more "normal". Or better, eliminate the router by moving the all routing functions into those FGTs if circuit handoff is Ethernet. Basically you have two routers at both locations splitting routing functions (including the VPN) between them.
Toshi
Or, just change SSL VPN port to something else if it's conflicting with a Web server or something at the site A.
In this particular scenario I would suggest to try the Policy Routes. This need to be tested first, no guarantee that it will work but it's worth a shot. You have to get very specific in the matching conditions and try to select and route only the SSL VPN traffic.
Even with policy routes, you have to know the source IP address. Which are dynamically IP addresses of different providers.
I found a possibilty under:
config vpn ssl settings
set auto-tunnel-static-route enable
But that does not work (yet).
Yes that's expected, I was suggesting to choose all IPs and test routing based on L4 ports used by the SSL VPN
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1759 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.