We have a setup where we connect to our Azure resources using a Site2site IPSec VPN connection, which works as expected.
However, once my clients connects from Forticlient using SSLVPN, traffic does not get routed to Azure.
I have created Firewall rules that allow traffic from SSLVPN to Azure remote IP addresses.
SSLVPN splitmode is disabled, as I want all traffic over my VPN.
SSLVPN Clients can connect to LAN and WAN resources.
SSLVPN clients cannot connect to Azure resources.
If someone can point me into any direction, it would be very appreciated.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @MoccaMaster
From the debug:
FG1 # id=20085 trace_id=4011 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.210.134.100:1->10.100.0.6:2048) from ssl.root. type=8, code=0, id=1, seq=461
4."
id=20085 trace_id=4011 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-01a4d8b0, original direction"
id=20085 trace_id=4011 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=4011 func=ip_session_run_all_tuple line=7142 msg="SNAT 10.210.134.100->172.16.0.1:60417"
id=20085 trace_id=4011 func=ipsecdev_hard_start_xmit line=790 msg="enter IPsec interface-AzureVPN"
id=20085 trace_id=4011 func=_ipsecdev_hard_start_xmit line=667 msg="IPsec tunnel-AzureVPN"
id=20085 trace_id=4011 func=ipsec_common_output4 line=875 msg="No matching IPsec selector, drop"
Can you confirm the phase2 selectors?
Thanks for sharing the solution, MoccaMaster :)
Non-fungible tokens (NFTs) are another noteworthy development within the cryptoindustry. NFTs are unique digital assets that represent ownership or proof of authenticity of a particular item, whether it's digital art, collectibles, virtual real estate, or even tweets. NFTs have garnered immense attention in the world of art, entertainment, and gaming, creating new opportunities for creators and collectors alike.
Compare the shared key for the on-premises VPN device to the Azure Virtual Network VPN to make sure that the keys match.
To view the shared key for the Azure VPN connection, use one of the following methods:
Azure portal
Go to the VPN gateway site-to-site connection that you created.
In the Settings section, click Shared key.
Check for and remove user-defined routing (UDR) or Network Security Groups (NSGs) on the gateway subnet, and then test the result. If the problem is resolved, validate the settings that UDR or NSG applied.
If the Internet-facing IP address of the VPN device is included in the Local network definition in Azure, you might experience sporadic disconnections.
The perfect forward secrecy feature can cause disconnection problems. If the VPN device has perfect forward secrecy enabled, disable the feature. Then update the VPN gateway IPsec policy.See more
@teatime232 the tunnel is working from on-premise to and from Azure servers.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.