Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
piotrmor
New Contributor

User identity policy for remote VPN branch

Dear all,

 

I have problem with user identity policy for remote vpn branch users.

At branch Fortigate (30D, version 5.0) I have default route pointing to vpn tunnel.

My HQ Fortigate is 80C v5.0,build0292 (GA Patch 9). All important policies are implemented on HQ firewall.

After HQ firewall upgrade to 5.0 identity policy for VPN subnet started to submit url containing public (WAN) IP address of HQ fortigate - something like http://<public IP>:1000/fgtauth?cgi

I think that this is because routing to branch subnet is going by WAN interface, and HQ fortigate considers WAN address as closest to the user.

Can You help me?

 

Best regards,

 

Piotr M.

 

2 Solutions
xsilver_FTNT
Staff
Staff

FGT is using closest interface IP to issue auth request. And from description it does seems to me that your VPN interface is unnumbered. So easiest way is to use private IP range and number the tunnel interfaces with some IP/network. This way the requests should come back to tunnel with FGT tunnel interface IP as source.

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

View solution in original post

xsilver_FTNT

@piotrmor  yes, it should be enough.

 

@rwpetterson  I do like interface mode over policy mode. I love idea to use tunnel IKE (phase1) as interface and act accordingly towards the tunnel. Really helpful for routing and policy clarity, also for routing through for SSO, auth, BGP and OSPF stuff and lot more .. Interface mode IPSec is just my personal preference.

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

View solution in original post

5 REPLIES 5
xsilver_FTNT
Staff
Staff

FGT is using closest interface IP to issue auth request. And from description it does seems to me that your VPN interface is unnumbered. So easiest way is to use private IP range and number the tunnel interfaces with some IP/network. This way the requests should come back to tunnel with FGT tunnel interface IP as source.

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

rwpatterson
Valued Contributor III

The tunnels should be in interface mode, not policy mode. (I know they should be there already, but never assume...)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
xsilver_FTNT

@piotrmor  yes, it should be enough.

 

@rwpetterson  I do like interface mode over policy mode. I love idea to use tunnel IKE (phase1) as interface and act accordingly towards the tunnel. Really helpful for routing and policy clarity, also for routing through for SSO, auth, BGP and OSPF stuff and lot more .. Interface mode IPSec is just my personal preference.

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

piotrmor

Thank You, it works!

 

Piotr M.

piotrmor

Thank You for answer, tomorrow I'll try to fix this issue using private address space.

Is it enough to enter local and remote IP address under System > Network > Interfaces -> <my tunnel interface>?

Now I have all addresses set to 0.0.0.0.

 

Piotr M.

Top Kudoed Authors