Hi!
I've 2 Fortigate 40 with a IPSEC tunnel, working great.
Then in each one, I've a SSL vpn for client pc's, they can access local lan in both sites.
Problem is I need to allow access to Site 1 using SSL vpn on Site2.
Tried to adapt this https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/45836/ssl-vpn-to-ipsec-vpn but cant get it to work.
On Site2 I created a policy to allow SSLVPN traffic to access the VPN tunnel:
Income - SSLVPN
Outgoing - IPSEC Tunnel
Source - IP range for SSL and the ssl user group
Destination - The remote subnet on Site1
Tried with and without NAT, but doesnt work.
Don´t I need a policy to allow in Site1 also? Tried that also, but doesnt work.
Can anyone help or point another example?
Thansk in advanced
Solved! Go to Solution.
Hi pprior
If the config part is verified as per document shared. Please run below commands and share the output
* Login to FGT using putty ssh, log session and run below commands:
diag debug reset
diag debug en
diag debug console timestamp enable
diag debug flow filter clear
diag debug flow filter addr X.X.X.X <<------[Replace X.X.X.X with Destination behind site B]
diag debug flow filter proto 1
diag debug flow trace start 999
Before executing above commands, ensure that there is no existing sessions from the IP . After executing above commands, connect sslvpn and ping to destination IP behind remote side. Once you see the output generated, enter following commands to turn off debugging-
diag debug disable
diag debug reset
Share the client IP , dst IP for analysis
Log putty sessions first to both devices and then generate traffic.
Thanks
Got his info:
get router info routing-table details 10.212.130.1
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 5, metric 0, best
* ext.ip.98.1, via lan3
SOLVED!!!
after creating a static route and a policy to allow traffic from SITE1 to SSL VPN in SITE 2, it started pinging.
Thank you NTANEJA and all the other for the support!
Great Forum.
Hi there,
FGT1 IPSEC with FGT2.
SSLVPN connect to FGT2.
You want to access network on FGT1.
Here is the general idea:
On FGT2:
Income - SSLVPN
Outgoing - IPSEC Tunnel
Source - All
Destination - All
No NAT
ON FGT1 and FGT2.
On IPSEC phase2, please include SSLVPN ip range.
Looking at your summary, you are missing SSLVPN range on the Phase2.
Hi, thanks for the help!
Even with the address groups including site2 lan and site vpn subnet, still doesnt work...
Please add the phase2 on both site. Make sure your static route using "to_FV_remote" Interface Site2Site. Im suspecting this issue related to routing now.
These are the first points I would going to ask about.
I believe we have to check routing at the ends to ensure that the packets go through the tunnel. Also, we could check the log on FortiGate to confirm that the correct policies are matched. Normally, problems start at the routing and ends at the policy.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.