- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL traffic doesn't through into IPsec tunnel with...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL traffic doesn't through into IPsec tunnel with SSL subnet
Hi Guys,
I have seen so many threads on this topic and i followed each and everyone but no success so far. I would like to explain you my situation. I have made a tunnel (route-based) between FGT and Cisco ASA and that is working fine with no issue. I have included all my networks like local, SSL and remote in IPsec phase2 selectors and implement the policies as required. My SSL user can connect to FGT successfully and can reach my local network but cant through into the Ipsec tunnel.
After few attempts, i have used a trick and changed my SSL subnet same as my local subnet and i got through into tunnel and SSL user can use resources on both local and remote network. BUT obviously this is not a solution which i want to see. I want to understand what is missing in my configuration. I would really appropriate any advise.
Local Subnet - 192.168.2.0/24
Remote Subnet - 192.168.40.0/24
SSL Subnet - 10.10.10.0/24
Regards,
Moami
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN comes from ssl.root, if not vdom env, just like IPSec comes from its own interface. So you have to have a route for 10.10.10.0/24 subnet to ssl.root and a policy from (and to if local or the other end of IPSec need to reach them) the SSL VPN clients. Probably you know this part well.
Then, the IPSec needs to carry the traffic fro/to 10.10.0/24 so ASA needs to have a proper route and policy (I'm not an ASA expert) for the same subnet. My guess is on the ASA side.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the reply,
I have already configured routing on FGT, one static route to IPsec pointing to remote network. one static route to ssl.root pointing to 10.10.10.0/24.The polices are set from IPsec to ssl.root and from ssl.root to ipsec.
The ipsec tunnel is up and running. i have configured a default route on ASA pointing to internet and setup a policy to allow FGT local and ssl subnet. Still cant access ipsec tunnel via ssl client.
Only way that things works is change my ssl subnet same as local subnet then i can connect tunnel via ssl.
I will be appreciated any advise.
Regds
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure the static route to both tunnels is lower than the default gateway distance.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I still think the ASA doesn't route 10.10.10.0/24 into the tunnel while packets toward 192.168.40.0/24 are reaching ASA over the tunnel. To verify, you need to sniff packets between these subnets at the FG by disabling auto-asic-offload on the IPSec policies. You're situation is nothing different from having another router behind the FG and the router serving a separate subnet, say 192.168.50.0/24. The router needs to know where to route to get back to 10.10.10.0/24.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The cli-cmd diag debug flow is your friend.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks guys for your comments !
I have fixed this issue. I have done following steps,
FGT End:
- Created IPsec tunnel (Policy Based)
- Allowed policy LAN to WAN with ipsec action for site to site tunnel
- using one default route 0.0.0.0/0.0.0.0 ---> WAN
- Allowed policy for SSL.root to Ipsec with action ipsec, included local and remote protected traffic
ASA End:
- Created Object group for both Local. remote and ssl
- Created access-list and allowed protected traffic
- disable NAT
- Created default route outside 0.0.0.0/0.0.0.0 ---> next hop
Enjoy ! :)
Related Posts
- Switch forwards packets to Fortigates as... 99 Views
- How to route ougoing FG traffic... 72 Views
- FortiGate 61F Blocked Web access after... 146 Views
- TRAFFIC SHAPPING TO IPSEC TUNNEL 182 Views
- Is there a way to exempt... 85 Views
Labels
-
FortiGate
6,754 -
FortiClient
1,344 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
346 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
86 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
FortiSOAR
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.