Hi, I have a problem. I have configured a Fortigate with an IPsec tunnel to a Cisco firewall and everything is working. Now my requirement is as follows: connect via SSL VPN through Forticlient VPN to Fortigate and browse both the LAN connected to Fortigate (192.168.1.0/24) and the remote VPN connected to Cisco (192.168.44.0/24). I am able to connect correctly through the VPN client to Fortigate and browse the 192.168.1.0/24 LAN, but I cannot access the Cisco LAN (192.168.44.0/24) on the IPsec tunnel. What firewall policies should I set on the Fortigate?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
Allow this:
- source : SSL-VPN
- Destination: IPsec / 192.168.44.0/24
Configure your SSL-VPN to push route 192.168.44.0/24 to your VPN client
Created on 04-13-2023 02:26 PM Edited on 04-13-2023 02:27 PM
Before that we need to know if the SSL VPN is "split-tunnel" or no split-tunnel. If split-tunnel, yes, you need to have Cisco LAN subnet in the split network list.
But basically you need to take case of three things in addition to the split-tunnel:
1) phase2 network selector(s) on the IPsec to allow traffic between SSL VPN client IPs and the Cisco LAN subnet unless you use the default 0/0<->0/0 phase2.
2) routing for both toward the Cisco LAN and back from the Cisco toward the SSL VPN client IPs.
3) at least one policy ssl.root->IPsec interface, and IPsec->ssl.root in case the Cisco LAN side needs to reach out those SSL VPN clients.
Toshi
Hello Andrew,
You need to add both SSL VPN IP address pool and LAN subnet (192.168.1.0/24) of FortiGate in the firewall policy as source and destination as remote subnet (192.168.44.0/24)
You can refer below document for the configuration of SSL VPN with the IPSEC VPN.
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/45836/ssl-vpn-to-ipsec-vpn
BR
i have modified the configuration like this but not ping 192.168.44.0/24
hello
Is the forticlient network present in the IPSEC tunnel?
If yes, have you created routing object for the Cisco network in the config for SSLVPN?
If yes, have you created a FW policy to allow Forticlient traffic to communicate to the Cisio network?
Hi Andrewd,
Kindly share the "route print" command output from the PC on which you are facing the issue. Also for the VPN policy to check the traffic flow we need the flow debug output below to check and suggest:
diagnose debug reset
diagnose debug disable
diagnose debug flow show fun en
diagnose debug flow filter clear
diagnose debug flow filter saddr <user IP address>
diagnose debug flow filter daddr <destination IP address which is behind CISCO>
diagnose debug flow filter proto 1
diagnose debug flow trace start 99
diagnose debug enable
NOTE: Replicate the issue by initiating the ping traffic for few packets and then after 5-10sec, disable the logs by executing:
diagnose debug disable
diag debug reset
Regards,
Parteek
Show us the result of "route print" for windows or "route -nr" for Mac while the client is connected.
Also show us "tracert 192.168.44.X"(win) or "traceroute 192.168.44.X"(Mac) (X needs to be replaced with a real IP).
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.