Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bmotamed
New Contributor

SSL VPN site to site

Hi ,

we have three office site A B & C with 3 FG80c.

There are ipsec vpn beetween A-B A-C B-C (Internal from A can communicate with B and C resource; ....).

Theres are 3 sslVPN for each site for external communication.

My issue : none of VPNSSL connections lets vpn SSL users to access to other site after a successfull connection.

example : when i'm connected from external by sslvpn to site A, i can't see any resource of site B or site C. Is that a policy probleme (i checked all sslroot to ipsep interface seemed ok...in each fortigate)?

thanks a lot.

8 REPLIES 8
cbesse
New Contributor

Hello,

Have you check the following settings :

- Is the VPN SSL subnet is allowed in the ipsec phase 2 ? - have you created a static route in the FortiGate in site B and Site C ?

Regards

emnoc
Esteemed Contributor III

More importantly did you run  diag debug flow ,  with one of the sslvpn_pool address given to an external user ?

 

That and above will at least give you a running start as to what to look at.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
bmotamed
New Contributor

ok i'll try this.

thanks

 

emnoc
Esteemed Contributor III

FWIW & in your setup , you would be wise to explore ospf-over IPSEC for the A_B_C spokes. You would only need to advertise the SSLVPN pool address into the OSPF domain and ensure  fw-policies to allow the clients access to the correct services.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
bmotamed
New Contributor

Hi, finaly there was missing vpn policy rules for wan->eachOffice

thanks

bmotamed

Yes  : there are 0.0.0.0 for all phase 2

and static route On B and C are there for Both "internal" A and "SSLVPN adresses" A

sorrowking
New Contributor

Yeah, same problem, someone can help please ?

bmotamed

Hello, my issue was resolved, i've missed a policy rule.

        set srcintf "wan1"         set dstintf "destination"         set srcaddr "all"         set dstaddr "destinationAdress" "destinationAdress-VPN-SSL"         set action ssl-vpn         set identity-based enable             config identity-based-policy                 edit 1                     set schedule "always"                     set groups "ssl users" "SSL portal ext"                     set service "ALL"                     set sslvpn-portal "full-access"                 next             end     next

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors