Hi!
I've 2 Fortigate 40 with a IPSEC tunnel, working great.
Then in each one, I've a SSL vpn for client pc's, they can access local lan in both sites.
Problem is I need to allow access to Site 1 using SSL vpn on Site2.
Tried to adapt this https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/45836/ssl-vpn-to-ipsec-vpn but cant get it to work.
On Site2 I created a policy to allow SSLVPN traffic to access the VPN tunnel:
Income - SSLVPN
Outgoing - IPSEC Tunnel
Source - IP range for SSL and the ssl user group
Destination - The remote subnet on Site1
Tried with and without NAT, but doesnt work.
Don´t I need a policy to allow in Site1 also? Tried that also, but doesnt work.
Can anyone help or point another example?
Thansk in advanced
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi pprior
If the config part is verified as per document shared. Please run below commands and share the output
* Login to FGT using putty ssh, log session and run below commands:
diag debug reset
diag debug en
diag debug console timestamp enable
diag debug flow filter clear
diag debug flow filter addr X.X.X.X <<------[Replace X.X.X.X with Destination behind site B]
diag debug flow filter proto 1
diag debug flow trace start 999
Before executing above commands, ensure that there is no existing sessions from the IP . After executing above commands, connect sslvpn and ping to destination IP behind remote side. Once you see the output generated, enter following commands to turn off debugging-
diag debug disable
diag debug reset
Share the client IP , dst IP for analysis
Log putty sessions first to both devices and then generate traffic.
Thanks
Is SSL-VPN set to tunnel all or split-tunnel?
You are right you will need an SSL-VPN to IPSEC policy on Site2 and then on Site1 you will need an IPSEC to LAN(or what ever destination port they need).
If you do not NAT the policy on site2, you will need to make sure:
- the two sites do not use the same SSL-VPN subnet
- have the necessary routes on Site1
- IPSEC tunnels on both sides have the SSL-VPN subnet defined.
Hi GDiFi!
It's split-tunnel
I confirm:
- the two sites do not use the same SSL-VPN subnet
- have the necessary routes on Site1 *** I think so...
- IPSEC tunnels on both sides have the SSL-VPN subnet defined. *** I edited the tunnel and it has an address group that includes lan and ssl vpn subnet
Hi Team,
Please ensure you have done all the configuration according to this article:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/45836/ssl-vpn-to-ipsec-vpn
Please check and keep us posted
Tried using 7.0.6 version (current in the 2 fg) as a guide, but the ipsec is working and cannot delete all and restart from scratch, so I adapt it.
Hi pprior
If the config part is verified as per document shared. Please run below commands and share the output
* Login to FGT using putty ssh, log session and run below commands:
diag debug reset
diag debug en
diag debug console timestamp enable
diag debug flow filter clear
diag debug flow filter addr X.X.X.X <<------[Replace X.X.X.X with Destination behind site B]
diag debug flow filter proto 1
diag debug flow trace start 999
Before executing above commands, ensure that there is no existing sessions from the IP . After executing above commands, connect sslvpn and ping to destination IP behind remote side. Once you see the output generated, enter following commands to turn off debugging-
diag debug disable
diag debug reset
Share the client IP , dst IP for analysis
Log putty sessions first to both devices and then generate traffic.
Thanks
Created on 06-15-2022 03:56 AM Edited on 06-15-2022 03:56 AM
Hi pprior,
Ok, something now, not sure what ;)
2022-06-15 12:30:34 id=20085 trace_id=2 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2508."
2022-06-15 12:30:34 id=20085 trace_id=2 func=init_ip_session_common line=6042 msg="allocate a new session-000c63b2, tun_id=10.0.0.1"
2022-06-15 12:30:34 id=20085 trace_id=2 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:30:34 id=20085 trace_id=2 func=ip_session_handle_no_dst line=6128 msg="trace"
2022-06-15 12:30:39 id=20085 trace_id=3 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2510."
2022-06-15 12:30:39 id=20085 trace_id=3 func=init_ip_session_common line=6042 msg="allocate a new session-000c63ff, tun_id=10.0.0.1"
2022-06-15 12:30:39 id=20085 trace_id=3 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:30:39 id=20085 trace_id=3 func=ip_session_handle_no_dst line=6128 msg="trace"
2022-06-15 12:30:44 id=20085 trace_id=4 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2514."
2022-06-15 12:30:44 id=20085 trace_id=4 func=init_ip_session_common line=6042 msg="allocate a new session-000c643f, tun_id=10.0.0.1"
2022-06-15 12:30:44 id=20085 trace_id=4 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:30:44 id=20085 trace_id=4 func=ip_session_handle_no_dst line=6128 msg="trace"
2022-06-15 12:30:49 id=20085 trace_id=5 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2515."
2022-06-15 12:30:49 id=20085 trace_id=5 func=init_ip_session_common line=6042 msg="allocate a new session-000c6461, tun_id=10.0.0.1"
2022-06-15 12:30:49 id=20085 trace_id=5 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:30:49 id=20085 trace_id=5 func=ip_session_handle_no_dst line=6128 msg="trace"
2022-06-15 12:30:54 id=20085 trace_id=6 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2516."
2022-06-15 12:30:54 id=20085 trace_id=6 func=init_ip_session_common line=6042 msg="allocate a new session-000c6490, tun_id=10.0.0.1"
2022-06-15 12:30:54 id=20085 trace_id=6 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:30:54 id=20085 trace_id=6 func=ip_session_handle_no_dst line=6128 msg="trace"
2022-06-15 12:30:59 id=20085 trace_id=7 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2517."
2022-06-15 12:30:59 id=20085 trace_id=7 func=init_ip_session_common line=6042 msg="allocate a new session-000c64b3, tun_id=10.0.0.1"
2022-06-15 12:30:59 id=20085 trace_id=7 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:30:59 id=20085 trace_id=7 func=ip_session_handle_no_dst line=6128 msg="trace"
*** other traffic removed ***
2022-06-15 12:31:00 id=20085 trace_id=9 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 192.168.101.2:61291->192.168.101.1:0) tun_id=0.0.0.0 from lan. type=0, code=0, id=61291, seq=37250."
2022-06-15 12:31:00 id=20085 trace_id=9 func=resolve_ip_tuple_fast line=5949 msg="Find an existing session, id-000c192c, reply direction"
2022-06-15 12:31:00 id=20085 trace_id=9 func=__ip_session_run_tuple line=3503 msg="DNAT 192.168.101.1:0->10.212.134.100:1"
2022-06-15 12:31:00 id=20085 trace_id=9 func=npu_handle_session44 line=1183 msg="Trying to offloading session from lan to ssl.root, skb.npu_flag=00000400 ses.state=01002204 ses.npu_state=0x00041108"
2022-06-15 12:31:00 id=20085 trace_id=9 func=fw_forward_dirty_handler line=410 msg="state=01002204, state2=00000001, npu_state=00041108"
2022-06-15 12:31:00 id=20085 trace_id=9 func=ids_receive line=417 msg="send to ips"
2022-06-15 12:31:04 id=20085 trace_id=10 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2518."
2022-06-15 12:31:04 id=20085 trace_id=10 func=init_ip_session_common line=6042 msg="allocate a new session-000c64e4, tun_id=10.0.0.1"
2022-06-15 12:31:04 id=20085 trace_id=10 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:31:04 id=20085 trace_id=10 func=ip_session_handle_no_dst line=6128 msg="trace"
2022-06-15 12:31:09 id=20085 trace_id=11 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2519."
2022-06-15 12:31:09 id=20085 trace_id=11 func=init_ip_session_common line=6042 msg="allocate a new session-000c650d, tun_id=10.0.0.1"
2022-06-15 12:31:09 id=20085 trace_id=11 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop"
2022-06-15 12:31:09 id=20085 trace_id=11 func=ip_session_handle_no_dst line=6128 msg="trace"
Hi pprior,
2022-06-15 12:30:34 id=20085 trace_id=2 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=1, 10.212.130.1:1->192.168.101.2:2048) tun_id=10.0.0.1 from Site2Site. type=8, code=0, id=1, seq=2508."
2022-06-15 12:30:34 id=20085 trace_id=2 func=init_ip_session_common line=6042 msg="allocate a new session-000c63b2, tun_id=10.0.0.1"
2022-06-15 12:30:34 id=20085 trace_id=2 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop" >> The packet is entering from tunnel interface Site2Site on this FGT device but FGT drops the packet with error ""reverse path check fail, drop"
Looks like this FGT is not learning subnet 10.212.130.0/24 via Site2Site interface.
get router info routing-table details 10.212.130.1
--this command can tell the interface FGT is learning route from for this network
Try creating static route for 10.212.130.0/24 with interface as Site2Site on this FGT and then test.
If issue persist post route addition, collect the same debug output on this FGT and the above command and share.
Doc to refer: https://community.fortinet.com/t5/FortiGate/Technical-Note-Details-about-FortiOS-RPF-Reverse-Path-Fo...
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.