Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
akl4u2
New Contributor

Created on ‎08-31-2018 11:43 AM

VPN SSL TO IPSEC Tunneling just don't work

Hi all.

I have a main site and a remote site.

The main site is connected to the remote with IPsec Tunnel and it works perfect

I can also connect to the main site with SSL VPN without problems But When i'm trying to reach the remote site i can't

The main site is ==> 192.168.1.x

The remote site is ==> 10.0.0.x

SSL VPN ===> 172.17.0.X

I've tried everything i can - Static Route / Policy, Nothing Works

In the IPsec VPN Phase 2 it's 0.0.0.0 on both sides.

Any help how to solve this will me more then appreciated

 

Thank in advanced.

  

 

7463
0 Kudos
6 REPLIES 6
Toshi_Esumi
SuperUser
SuperUser

Created on ‎08-31-2018 03:29 PM

First of all, is SSL VPN "split tunnel" or client's internet comes over the SSL VPN when it's connected? If split, the fist thing I would suspect is 10.0.0.x/24 is not in the client machine's routing table, which should be automatically injected based on the policy.

The rest is just routeing between the main and the remote, especially the remote side to get back to 172.17.0.x since the selector is 0/0. I assume you already verified. Then check what traceroute shows from the client toward 10.0.0.x if it goes into the IPSec tunnel or not.

2889
0 Kudos
tanr
Valued Contributor II
In response to Toshi_Esumi

Created on ‎08-31-2018 05:54 PM

Make sure you have the appropriate security policies in place too, from the ssl-vpn tunnel interface to the IPsec tunnel, etc.

2889
0 Kudos
akl4u2
New Contributor
In response to tanr

Created on ‎09-01-2018 03:32 AM

I’ll will check it all and answer tomorrow at work, from the ssl-vpn to the IPSec I think I do have the appropriate security policies but I’ll upload pics tomorrow
2889
0 Kudos
Ashik_Sheik
Contributor II
In response to akl4u2

Created on ‎09-01-2018 03:49 AM

Hi ,

 

KIndly enable NAT on SSL-VPN to IPSEC Tunnel Policy which will solve your routing issue.

 

Regds,

 

Ashik

Ashu 

 

Ashu
2889
0 Kudos
akl4u2
New Contributor
In response to Ashik_Sheik

Created on ‎09-01-2018 12:33 PM

Hi,

I've check everything - NAT didn't help :\

I've created new SSL-VPN group and associated it to "tunnel-mode"

In the "tunnel mode" checked the Enable split tunneling

In the Routing Address I've putt the main site local address object and the remote site address object

On the the Source IP Pools I've putt the SSL-VPN tunnel address object which is the IP range 172.16.0.100-135

Created a new security policy - incoming - ssl.root --> dest : "IPsec VPN" --> source the tunnel address object and the newly created group ---. dest : remote site local ip addresses object -- > always / all and accept.

 

in the remote site i created a new object for the ssl-vpn IP and Created a policy that says :

incoming int : IPsec VPN --. src: "ssl-vpn address" --> outgoing : LAN --> always / accept...

 

but still no go...

 

2 things that I've probably did something wrong...

when looking in the IP address that i'm getting from the SSL-VPN it on subnet 255.255.255.255 because it's from the IP range - Not sure how to create a proper static route in the remote site.

second, when i did trace route to the main site it went straight from my computer IP to the server address.

when i did a trace route to the remote site it looked like it's not going trough the tunnel and trying to go out to the internet instead even though the remote site address is in the SSL-VPN "tunnel mode".

 

Hope i wrote everything clear.

 

Thank you all.     

2889
0 Kudos
tanr
Valued Contributor II
In response to akl4u2

Created on ‎09-01-2018 01:45 PM

Here are some details from my own SSL VPN setup with a connection in to the main location, needing access to the branch over the IPsec connection.  Note that you need to have specified an Source IP Pool object for the SSL VPN.

 

[ul]
  • At the main location: Security policy for SSL VPN to the IPsec VPN for the branch location[ul]
  • Source is the IP range given to the dialup SSL VPN users (specified in SSL VPN Source IP Pool)
  • Destination is the subnet of the branch location lan
  •  No NAT[/ul]
  • Main location (already) has a static route over IPsec to the branch location lan subnet
  • At the branch location: Security policy for IPsec interface to the lan interface accessed by SSL VPN users[ul]
  • Source is IP range given to the dialup SSL at the main location
  • Destination is the subnet of the branch location lan
  • No NAT[/ul]
  • Branch location needs a static route over the IPsec interface with destination of subnet given to SSL VPN users[/ul]

     

    Hope that helps.

    • 2889
    0 Kudos
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.