SSLVPN to IPsec subnet

yeowkm99 · ‎07-18-2023

Recently we setup a DR site with a new FGT100F firewall.

we configured a IPsec site-to-site tunnel from our main firewall to the new DR site.

the tunnel is working and we can connect to the DR site with no issues.

But when we realize that SSLVPN users cannot connect to the DR site.

is there any special routing needed at both end of the firewall in order for SSLVPN users to connect to the DR site.

SSLVPN have no issues connecting back to main office subnet or other remote office subnets which are connected via MPLS circuits.

main office -> 172.16.0.0/24 <-----------> new DR site 172.32.0.0/24

SSLVPN users -> 172.15.0.0/24

msanjaypadma · ‎07-18-2023

Hi @yeowkm99 ,

As I have understand you are trying to access DR subnet as below setup.

[Src : Remote User]---------SSLVPN-------[Main Office]---------Ipsec VPN-------[DR Office]-----[Dst]

Refer below article and verify the configuration.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Forward-traffic-originating-from-SSLVPN-in...

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.

Thanks,

Mayur Padma

View solution in original post

kjohri · ‎08-16-2023

Hi yeowkm99,

On the main office Fortigate the IPsec traffic selectors should include 172.15.0.0/24 (local) to 172.32.0.0/24 (remote)
In the SSL VPN portal, if split tunnel is enabled then add 172.32.0.0/24 to the list in routing address override.------> This should answer your above query
There should be a policy from SSL VPN to IPsec tunnel interface where source should be 172.15.0.0/24 and destination should be 172.32.0.0/24
On the DR FortIgate,
IPsec traffic selector should include 172.32.0.0/24 (local) to 172.15.0.0/24 (remote)
Add the destination 172.15.0.0/24 in the existing IPsec policy.

Regards,
Kavya

View solution in original post

msanjaypadma · ‎07-18-2023

Hi @yeowkm99 ,

As I have understand you are trying to access DR subnet as below setup.

[Src : Remote User]---------SSLVPN-------[Main Office]---------Ipsec VPN-------[DR Office]-----[Dst]

Refer below article and verify the configuration.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Forward-traffic-originating-from-SSLVPN-in...

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.

Thanks,

Mayur Padma

yeowkm99 · ‎07-18-2023

I don't understand what it means by this

"When the dialup tunnel split tunnel enable needs to have the routing address in our case it needs to have 10.158.0.0/20 and 10.157.0.0/20"

kjohri · ‎08-16-2023

Hi yeowkm99,

On the main office Fortigate the IPsec traffic selectors should include 172.15.0.0/24 (local) to 172.32.0.0/24 (remote)
In the SSL VPN portal, if split tunnel is enabled then add 172.32.0.0/24 to the list in routing address override.------> This should answer your above query
There should be a policy from SSL VPN to IPsec tunnel interface where source should be 172.15.0.0/24 and destination should be 172.32.0.0/24
On the DR FortIgate,
IPsec traffic selector should include 172.32.0.0/24 (local) to 172.15.0.0/24 (remote)
Add the destination 172.15.0.0/24 in the existing IPsec policy.

Regards,
Kavya

SSLVPN to IPsec subnet

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website