- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: SSLVPN to Remote Site via IPSec VPN?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSLVPN to Remote Site via IPSec VPN?
Hi ALL,
I get an issue still finding the way to solve it, hope can invite your input or advise in a faster way, thanks!
This is the case: I have to allow some clients to connect to the Office A via SSLVPN, and then accessing the resources in Office B, in which the Office B & Office A are connected by Site-to-Site IPSec VPN. Once the SSLVPN client is connected successfully, I can only access to the resource in Office A, but even cannot ping to resource in Office B...
Do you have any suggestion/idea to enlighten me? Thanks a lot! 
Protect yourself~ http://www.secunia.com
MBCS CEH FCNSA
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See this post:
http://support.fortinet.com/forum/tm.asp?m=92337&p=1&tmode=1&smode=1
Bottom line, your office site A needs to have it' s tunnel to site B set up in interface mode.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the exact same scenario with only one major difference. Site B is not a fortinet firewall so A route based vpn may not be doable in every circumstance. I suspect that this is possible using a policy based vpn as well. Does anyone have any input on this? Idea' s
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both sides don' t need to be set up in the same way. If using 2 FGTs, one could be interface while the other route based. As long as the tunnel is established and the handshaking is good, the other end shouldn' t care one way or the other how it' s done.
With a policy based tunnel, there is no way to tell the local FGT how to route traffic to remote subnets that aren' t directly attached to the remote unit. In route mode, try it all you want. When you' re done pulling your hair out, set up the tunnel in interface mode, set up the static routes, and enjoy your favorite beverage.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rwpattersonThanks rwpatterson! I just re-setup the site-to-site IPSec VPN in Interface Mode at mid-night. Now the tunnel is up and traffic could be redirected to both side. However, I have a bit confuse with the static route and the local IP / remote IP that " should be" configured on the Interface as a virtual one. Does the virtual IP have to be setup? Because it' s indicated on the fg doc, the IPs should not be used in any network. During the traceroute, that interface IP would be one of the hop as gateway to another side... can I omit that interface IP and use the firewall' s internal IP just like in policy based vpn mode? Also, it seems that I still cannot allow the SSLVPN subnet to access to the remote Office B resource...
Protect yourself~ http://www.secunia.com
MBCS CEH FCNSA
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: wcbenyip However, I have a bit confuse with the static route and the local IP / remote IP that " should be" configured on the Interface as a virtual one. Does the virtual IP have to be setup? Because it' s indicated on the fg doc, the IPs should not be used in any network. During the traceroute, that interface IP would be one of the hop as gateway to another side... can I omit that interface IP and use the firewall' s internal IP just like in policy based vpn mode?You only need the interface IP if you are doing higher level routing (OSPF, BGP, etc).
Also, it seems that I still cannot allow the SSLVPN subnet to access to the remote Office B resource...The easiest way to fix that would be to NAT that traffic with an IP address that is permitted in the phase 2 selectors for the tunnel. The long way would be to add another phase 2 that covers the SSL VPN IP subnet. Oh yes, and the correct policy needs to be in place!
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1/ So, that means if I am not applying higher level routing, then it' s no need to set the interface IP and just leave it as 0.0.0.0 is OK?
2/ Actually, we have the dial-up IPSec VPN client that connecting to the Office A, and then going to Office B with that Interface Mode VPN as well... now I cannot access to the fc client from Office B.... and detailed hint? Many thanks!
More detail: (current scenario)
FC client(IPSec) ---> Office A <---(IPSec VPN interface mode)---> Office B
+ SSLVPN
Q1/ FC Client ---------> Resource in Office B
Q2/ SSLVPN ----------> Resource in Office B
Q3/ Office B ----------> FC Client
Protect yourself~ http://www.secunia.com
MBCS CEH FCNSA
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
Related Posts
- IPSec tunnel error : no SA... 150 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 270 Views
- FortiClient IPSec VPN keeps connecting to... 163 Views
- Policy based routing to IPsec tunnel 183 Views
- Fortclient VPN Client Linux - IPSEC... 390 Views
Labels
-
FortiGate
6,531 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.