Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
philip_nl
New Contributor

Created on ‎07-05-2023 07:58 AM

SSL-VPN routing

Hello,

I'm running into one issue concerning a laptop connecting with SSL VPN to a FortiGate.

The setup makes use of OSPF routing. The default routing for all traffic goes thru FG-A.

FortiGate FG-B is the entry point for SSL VPN.

Since all traffic has a default route to FG-A, the laptop cannot make a connection to FG-B, because that traffic is routed to FG-A via the IPsec tunnel, and not back to where it came from, the laptop.

I want all traffic go thru FG-A since that one has security profiles.

 

SSL-VPN.jpg

 

When I make one static route for the laptop of FG-B, the result is good for a working SSL VPN for that laptop:

FG-B # diagnose sniffer packet any 'host 1.2.8.201'
interfaces=[any]
filters=[host 1.2.8.201]
8.234645 1.2.8.201.26381 -> 10.0.22.2.443: syn 2953506651
8.234830 10.0.22.2.443 -> 1.2.8.201.26381: syn 1439558356 ack 2953506652
8.272586 1.2.8.201.26381 -> 10.0.22.2.443: ack 1439558357
8.320566 1.2.8.201.26381 -> 10.0.22.2.443: fin 2953506652 ack 1439558357
8.320937 10.0.22.2.443 -> 1.2.8.201.26381: fin 1439558357 ack 2953506653
8.339497 1.2.8.201.26381 -> 10.0.22.2.443: ack 1439558358
8.389289 1.2.8.201.26382 -> 10.0.22.2.443: syn 3605904456

 

Without the static route for the laptop, the result is:

FG-B # diagnose sniffer packet any 'host 1.2.8.201'
interfaces=[any]
filters=[host 1.2.8.201]
16.222300 1.2.8.201.27042 -> 10.0.22.2.443: syn 3741587175
17.214982 1.2.8.201.27042 -> 10.0.22.2.443: syn 3741587175
19.233017 1.2.8.201.27042 -> 10.0.22.2.443: syn 3741587175

 

Since the laptop's IP address is constantly changing, due to providers, and most of the devices have unknown IP adresses, it's difficult to make static routes for those devices.

 

So my question is, how to make it possible, that devices from the internet can succesfully connect to the FortiGate FG2 listening to SSL-VPN connections?

 

Philip
Philip
Labels:
1067
0 Kudos
7 REPLIES 7
Toshi_Esumi
SuperUser
SuperUser

Created on ‎07-05-2023 08:20 AM Edited on ‎07-05-2023 08:20 AM

With the current network set-up on the FG-B, I don't think this is possible.

My wild idea is to have another connection between the router (maybe lan2 interface) and FG-B (wan2?) then assign a different interconnect subnet. Then set the port forwarding at the router to lan2.

At the FG-B, I would try a lower-priority(high number) static default route to wan2 while wan1 has a higher static default route. With this set up all internet bound traffic from FG-B goes out wan1 while it still accepts and returns traffic to SSL VPNs.

 

This is just my theory and never tested myself. There maybe some fallouts in this theory.

 

But this wocky setup is unnecessary if you simply move SSL VPN to FG-A, which is the common way.

 

Toshi

1057
0 Kudos
philip_nl
New Contributor
In response to Toshi_Esumi

Created on ‎07-06-2023 02:23 AM

FG-A is occupied with other port wardings.

Can't imaging that this wocky setup is the first in this world being used.

Philip
Philip
1029
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to philip_nl

Created on ‎07-06-2023 08:20 AM Edited on ‎07-06-2023 08:30 AM

I would order additional IP from the ISP to make network more "normal". Or better, eliminate the router by moving the all routing functions into those FGTs if circuit handoff is Ethernet. Basically you have two routers at both locations splitting routing functions (including the VPN) between them.

 

Toshi

985
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Toshi_Esumi

Created on ‎07-06-2023 08:54 AM

Or, just change SSL VPN port to something else if it's conflicting with a Web server or something at the site A.

980
0 Kudos
ebilcari
Staff
Staff

Created on ‎07-07-2023 01:19 AM

In this particular scenario I would suggest to try the Policy Routes. This need to be tested first, no guarantee that it will work but it's worth a shot. You have to get very specific in the matching conditions and try to select and route only the SSL VPN traffic.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
958
0 Kudos
philip_nl
New Contributor
In response to ebilcari

Created on ‎07-08-2023 03:24 AM

Even with policy routes, you have to know the source IP address. Which are dynamically IP addresses of different providers.

I found a possibilty under:

config vpn ssl settings

   set auto-tunnel-static-route enable

But that does not work (yet).

 

Philip
Philip
941
0 Kudos
ebilcari
Staff
Staff
In response to philip_nl

Created on ‎07-10-2023 12:26 AM

Yes that's expected, I was suggesting to choose all IPs and test routing based on L4 ports used by the SSL VPN

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
897
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.