Dear all,
I have problem with user identity policy for remote vpn branch users.
At branch Fortigate (30D, version 5.0) I have default route pointing to vpn tunnel.
My HQ Fortigate is 80C v5.0,build0292 (GA Patch 9). All important policies are implemented on HQ firewall.
After HQ firewall upgrade to 5.0 identity policy for VPN subnet started to submit url containing public (WAN) IP address of HQ fortigate - something like http://<public IP>:1000/fgtauth?cgi
I think that this is because routing to branch subnet is going by WAN interface, and HQ fortigate considers WAN address as closest to the user.
Can You help me?
Best regards,
Piotr M.
Solved! Go to Solution.
FGT is using closest interface IP to issue auth request. And from description it does seems to me that your VPN interface is unnumbered. So easiest way is to use private IP range and number the tunnel interfaces with some IP/network. This way the requests should come back to tunnel with FGT tunnel interface IP as source.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
@piotrmor yes, it should be enough.
@rwpetterson I do like interface mode over policy mode. I love idea to use tunnel IKE (phase1) as interface and act accordingly towards the tunnel. Really helpful for routing and policy clarity, also for routing through for SSO, auth, BGP and OSPF stuff and lot more .. Interface mode IPSec is just my personal preference.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
FGT is using closest interface IP to issue auth request. And from description it does seems to me that your VPN interface is unnumbered. So easiest way is to use private IP range and number the tunnel interfaces with some IP/network. This way the requests should come back to tunnel with FGT tunnel interface IP as source.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
The tunnels should be in interface mode, not policy mode. (I know they should be there already, but never assume...)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
@piotrmor yes, it should be enough.
@rwpetterson I do like interface mode over policy mode. I love idea to use tunnel IKE (phase1) as interface and act accordingly towards the tunnel. Really helpful for routing and policy clarity, also for routing through for SSO, auth, BGP and OSPF stuff and lot more .. Interface mode IPSec is just my personal preference.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Thank You, it works!
Piotr M.
Thank You for answer, tomorrow I'll try to fix this issue using private address space.
Is it enough to enter local and remote IP address under System > Network > Interfaces -> <my tunnel interface>?
Now I have all addresses set to 0.0.0.0.
Piotr M.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.