SSL VPN to Site2Site VPN

pprior · ‎06-14-2022

Hi!

I've 2 Fortigate 40 with a IPSEC tunnel, working great.

Then in each one, I've a SSL vpn for client pc's, they can access local lan in both sites.

Problem is I need to allow access to Site 1 using SSL vpn on Site2.

Tried to adapt this https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/45836/ssl-vpn-to-ipsec-vpn but cant get it to work.

On Site2 I created a policy to allow SSLVPN traffic to access the VPN tunnel:

Income - SSLVPN

Outgoing - IPSEC Tunnel

Source - IP range for SSL and the ssl user group

Destination - The remote subnet on Site1

Tried with and without NAT, but doesnt work.

Don´t I need a policy to allow in Site1 also? Tried that also, but doesnt work.

Can anyone help or point another example?

Thansk in advanced

ntaneja · ‎06-15-2022

Hi pprior

If the config part is verified as per document shared. Please run below commands and share the output

* Login to FGT using putty ssh, log session and run below commands:
diag debug reset
diag debug en
diag debug console timestamp enable
diag debug flow filter clear
diag debug flow filter addr X.X.X.X <<------[Replace X.X.X.X with Destination behind site B]
diag debug flow filter proto 1
diag debug flow trace start 999

Before executing above commands, ensure that there is no existing sessions from the IP . After executing above commands, connect sslvpn and ping to destination IP behind remote side. Once you see the output generated, enter following commands to turn off debugging-

diag debug disable
diag debug reset

Share the client IP , dst IP for analysis

Log putty sessions first to both devices and then generate traffic.

Thanks

View solution in original post

GDiFi · ‎06-14-2022

Is SSL-VPN set to tunnel all or split-tunnel?

You are right you will need an SSL-VPN to IPSEC policy on Site2 and then on Site1 you will need an IPSEC to LAN(or what ever destination port they need).

If you do not NAT the policy on site2, you will need to make sure:

- the two sites do not use the same SSL-VPN subnet

- have the necessary routes on Site1

- IPSEC tunnels on both sides have the SSL-VPN subnet defined.

pprior · ‎06-15-2022

Hi GDiFi!

It's split-tunnel

I confirm:

- the two sites do not use the same SSL-VPN subnet

- have the necessary routes on Site1 *** I think so...

- IPSEC tunnels on both sides have the SSL-VPN subnet defined. *** I edited the tunnel and it has an address group that includes lan and ssl vpn subnet

seshuganesh · ‎06-14-2022

Hi Team,

Please ensure you have done all the configuration according to this article:

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/45836/ssl-vpn-to-ipsec-vpn

Please check and keep us posted

pprior · ‎06-15-2022

Tried using 7.0.6 version (current in the 2 fg) as a guide, but the ipsec is working and cannot delete all and restart from scratch, so I adapt it.

ntaneja · ‎06-15-2022

Hi pprior

If the config part is verified as per document shared. Please run below commands and share the output

* Login to FGT using putty ssh, log session and run below commands:
diag debug reset
diag debug en
diag debug console timestamp enable
diag debug flow filter clear
diag debug flow filter addr X.X.X.X <<------[Replace X.X.X.X with Destination behind site B]
diag debug flow filter proto 1
diag debug flow trace start 999

Before executing above commands, ensure that there is no existing sessions from the IP . After executing above commands, connect sslvpn and ping to destination IP behind remote side. Once you see the output generated, enter following commands to turn off debugging-

diag debug disable
diag debug reset

Share the client IP , dst IP for analysis

Log putty sessions first to both devices and then generate traffic.

Thanks

pprior · ‎06-15-2022

Hi ntaneja, and thanks!

ssl vpn ip on site 1: 10.212.130.1

destination ip on site 2: 192.168.101.2

Log:

2022-06-15 11:44:37 id=20085 trace_id=4 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=1936."
2022-06-15 11:44:37 id=20085 trace_id=4 func=init_ip_session_common line=6042 msg="allocate a new session-0000cc95, tun_id=0.0.0.0"
2022-06-15 11:44:37 id=20085 trace_id=4 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.0.0.1 via Site2Site"
2022-06-15 11:44:37 id=20085 trace_id=4 func=fw_forward_handler line=879 msg="Allowed by Policy-8:"
2022-06-15 11:44:37 id=20085 trace_id=4 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Site2Site, tun_id=0.0.0.0"
2022-06-15 11:44:37 id=20085 trace_id=4 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Site2Site"
2022-06-15 11:44:37 id=20085 trace_id=4 func=esp_output4 line=840 msg="IPsec encrypt/auth"
2022-06-15 11:44:37 id=20085 trace_id=4 func=ipsec_output_finish line=544 msg="send to external.ip.106.1 via intf-wan"
2022-06-15 11:44:41 id=20085 trace_id=5 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=1937."
2022-06-15 11:44:41 id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5949 msg="Find an existing session, id-0000cc95, original direction"
2022-06-15 11:44:41 id=20085 trace_id=5 func=npu_handle_session44 line=1183 msg="Trying to offloading session from ssl.root to Site2Site, skb.npu_flag=00000400 ses.state=01010204 ses.npu_state=0x04000100"
2022-06-15 11:44:41 id=20085 trace_id=5 func=fw_forward_dirty_handler line=410 msg="state=01010204, state2=00000001, npu_state=04000100"
2022-06-15 11:44:41 id=20085 trace_id=5 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Site2Site, tun_id=0.0.0.0"
2022-06-15 11:44:41 id=20085 trace_id=5 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Site2Site"
2022-06-15 11:44:41 id=20085 trace_id=5 func=esp_output4 line=840 msg="IPsec encrypt/auth"
2022-06-15 11:44:41 id=20085 trace_id=5 func=ipsec_output_finish line=544 msg="send to external.ip.106.1 via intf-wan"

ntaneja · ‎06-15-2022

Hi pprior,

Log:

2022-06-15 11:44:37 id=20085 trace_id=4 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=1936.">>> Packet entered FGT from ssl.root interface

2022-06-15 11:44:37 id=20085 trace_id=4 func=init_ip_session_common line=6042 msg="allocate a new session-0000cc95, tun_id=0.0.0.0">>session was allocated

2022-06-15 11:44:37 id=20085 trace_id=4 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.0.0.1 via Site2Site">>route to destination was found via tunnel "Site2Site"

2022-06-15 11:44:37 id=20085 trace_id=4 func=fw_forward_handler line=879 msg="Allowed by Policy-8:" >> traffic was allowed via policy 8 on this device

2022-06-15 11:44:37 id=20085 trace_id=4 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Site2Site, tun_id=0.0.0.0"
2022-06-15 11:44:37 id=20085 trace_id=4 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Site2Site"
2022-06-15 11:44:37 id=20085 trace_id=4 func=esp_output4 line=840 msg="IPsec encrypt/auth"
2022-06-15 11:44:37 id=20085 trace_id=4 func=ipsec_output_finish line=544 msg="send to external.ip.106.1 via intf-wan"
Then traffic was encrypted and sent out of wan interface on which VPN is formed.

Looking at this the packet left this FGT via tunnel "Site2Site" and policy ID 8.
Can you take the same capture on other side of FGT and share output.?

Thanks

pprior · ‎06-15-2022

Ok, something now, not sure what ;)

2022-06-15 12:30:34 id=20085 trace_id=2 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2508."
2022-06-15 12:30:34 id=20085 trace_id=2 func=init_ip_session_common line=6042 msg="allocate a new session-000c63b2, tun_id=10.0.0.1"
2022-06-15 12:30:34 id=20085 trace_id=2 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:30:34 id=20085 trace_id=2 func=ip_session_handle_no_dst line=6128 msg="trace"
2022-06-15 12:30:39 id=20085 trace_id=3 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2510."
2022-06-15 12:30:39 id=20085 trace_id=3 func=init_ip_session_common line=6042 msg="allocate a new session-000c63ff, tun_id=10.0.0.1"
2022-06-15 12:30:39 id=20085 trace_id=3 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:30:39 id=20085 trace_id=3 func=ip_session_handle_no_dst line=6128 msg="trace"
2022-06-15 12:30:44 id=20085 trace_id=4 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2514."
2022-06-15 12:30:44 id=20085 trace_id=4 func=init_ip_session_common line=6042 msg="allocate a new session-000c643f, tun_id=10.0.0.1"
2022-06-15 12:30:44 id=20085 trace_id=4 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:30:44 id=20085 trace_id=4 func=ip_session_handle_no_dst line=6128 msg="trace"
2022-06-15 12:30:49 id=20085 trace_id=5 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2515."
2022-06-15 12:30:49 id=20085 trace_id=5 func=init_ip_session_common line=6042 msg="allocate a new session-000c6461, tun_id=10.0.0.1"
2022-06-15 12:30:49 id=20085 trace_id=5 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:30:49 id=20085 trace_id=5 func=ip_session_handle_no_dst line=6128 msg="trace"
2022-06-15 12:30:54 id=20085 trace_id=6 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2516."
2022-06-15 12:30:54 id=20085 trace_id=6 func=init_ip_session_common line=6042 msg="allocate a new session-000c6490, tun_id=10.0.0.1"
2022-06-15 12:30:54 id=20085 trace_id=6 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:30:54 id=20085 trace_id=6 func=ip_session_handle_no_dst line=6128 msg="trace"
2022-06-15 12:30:59 id=20085 trace_id=7 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2517."
2022-06-15 12:30:59 id=20085 trace_id=7 func=init_ip_session_common line=6042 msg="allocate a new session-000c64b3, tun_id=10.0.0.1"
2022-06-15 12:30:59 id=20085 trace_id=7 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:30:59 id=20085 trace_id=7 func=ip_session_handle_no_dst line=6128 msg="trace"
*** other traffic removed ***
2022-06-15 12:31:00 id=20085 trace_id=9 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 192.168.101.2:61291->192.168.101.1:0) tun_id=0.0.0.0 from lan. type=0, code=0, id=61291, seq=37250."
2022-06-15 12:31:00 id=20085 trace_id=9 func=resolve_ip_tuple_fast line=5949 msg="Find an existing session, id-000c192c, reply direction"
2022-06-15 12:31:00 id=20085 trace_id=9 func=__ip_session_run_tuple line=3503 msg="DNAT 192.168.101.1:0->10.212.134.100:1"
2022-06-15 12:31:00 id=20085 trace_id=9 func=npu_handle_session44 line=1183 msg="Trying to offloading session from lan to ssl.root, skb.npu_flag=00000400 ses.state=01002204 ses.npu_state=0x00041108"
2022-06-15 12:31:00 id=20085 trace_id=9 func=fw_forward_dirty_handler line=410 msg="state=01002204, state2=00000001, npu_state=00041108"
2022-06-15 12:31:00 id=20085 trace_id=9 func=ids_receive line=417 msg="send to ips"
2022-06-15 12:31:04 id=20085 trace_id=10 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2518."
2022-06-15 12:31:04 id=20085 trace_id=10 func=init_ip_session_common line=6042 msg="allocate a new session-000c64e4, tun_id=10.0.0.1"
2022-06-15 12:31:04 id=20085 trace_id=10 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:31:04 id=20085 trace_id=10 func=ip_session_handle_no_dst line=6128 msg="trace"
2022-06-15 12:31:09 id=20085 trace_id=11 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2519."
2022-06-15 12:31:09 id=20085 trace_id=11 func=init_ip_session_common line=6042 msg="allocate a new session-000c650d, tun_id=10.0.0.1"
2022-06-15 12:31:09 id=20085 trace_id=11 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:31:09 id=20085 trace_id=11 func=ip_session_handle_no_dst line=6128 msg="trace"

ntaneja · ‎06-15-2022

Hi pprior,

2022-06-15 12:30:34 id=20085 trace_id=2 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2508."
2022-06-15 12:30:34 id=20085 trace_id=2 func=init_ip_session_common line=6042 msg="allocate a new session-000c63b2, tun_id=10.0.0.1"
2022-06-15 12:30:34 id=20085 trace_id=2 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop" >> The packet is entering from tunnel interface Site2Site on this FGT device but FGT drops the packet with error ""reverse path check fail, drop"

Looks like this FGT is not learning subnet 10.212.130.0/24 via Site2Site interface.

get router info routing-table details 10.212.130.1
--this command can tell the interface FGT is learning route from for this network

Try creating static route for 10.212.130.0/24 with interface as Site2Site on this FGT and then test.

If issue persist post route addition, collect the same debug output on this FGT and the above command and share.

Doc to refer: https://community.fortinet.com/t5/FortiGate/Technical-Note-Details-about-FortiOS-RPF-Reverse-Path-Fo...

Thanks

SSL VPN to Site2Site VPN

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website