VPN

andrewd73 · ‎04-13-2023

Hi, I have a problem. I have configured a Fortigate with an IPsec tunnel to a Cisco firewall and everything is working. Now my requirement is as follows: connect via SSL VPN through Forticlient VPN to Fortigate and browse both the LAN connected to Fortigate (192.168.1.0/24) and the remote VPN connected to Cisco (192.168.44.0/24). I am able to connect correctly through the VPN client to Fortigate and browse the 192.168.1.0/24 LAN, but I cannot access the Cisco LAN (192.168.44.0/24) on the IPsec tunnel. What firewall policies should I set on the Fortigate?

AEK · ‎04-13-2023

Hello

Allow this:

- source : SSL-VPN

- Destination: IPsec / 192.168.44.0/24

Configure your SSL-VPN to push route 192.168.44.0/24 to your VPN client

AEK

Toshi_Esumi · ‎04-13-2023

Before that we need to know if the SSL VPN is "split-tunnel" or no split-tunnel. If split-tunnel, yes, you need to have Cisco LAN subnet in the split network list.

But basically you need to take case of three things in addition to the split-tunnel:
1) phase2 network selector(s) on the IPsec to allow traffic between SSL VPN client IPs and the Cisco LAN subnet unless you use the default 0/0<->0/0 phase2.

2) routing for both toward the Cisco LAN and back from the Cisco toward the SSL VPN client IPs.
3) at least one policy ssl.root->IPsec interface, and IPsec->ssl.root in case the Cisco LAN side needs to reach out those SSL VPN clients.

Toshi

rtichkule · ‎04-13-2023

Hello Andrew,

You need to add both SSL VPN IP address pool and LAN subnet (192.168.1.0/24) of FortiGate in the firewall policy as source and destination as remote subnet (192.168.44.0/24)

You can refer below document for the configuration of SSL VPN with the IPSEC VPN.

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/45836/ssl-vpn-to-ipsec-vpn

BR

andrewd73 · ‎04-14-2023

i have modified the configuration like this but not ping 192.168.44.0/24

Christian_89 · ‎04-15-2023

hello

Is the forticlient network present in the IPSEC tunnel?

If yes, have you created routing object for the Cisco network in the config for SSLVPN?

If yes, have you created a FW policy to allow Forticlient traffic to communicate to the Cisio network?

parteeksharma · ‎04-17-2023

Hi Andrewd,

Kindly share the "route print" command output from the PC on which you are facing the issue. Also for the VPN policy to check the traffic flow we need the flow debug output below to check and suggest:

diagnose debug reset

diagnose debug disable

diagnose debug flow show fun en

diagnose debug flow filter clear

diagnose debug flow filter saddr <user IP address>

diagnose debug flow filter daddr <destination IP address which is behind CISCO>

diagnose debug flow filter proto 1

diagnose debug flow trace start 99

diagnose debug enable

NOTE: Replicate the issue by initiating the ping traffic for few packets and then after 5-10sec, disable the logs by executing:

diagnose debug disable
diag debug reset

Regards,
Parteek

Toshi_Esumi · ‎04-14-2023

Show us the result of "route print" for windows or "route -nr" for Mac while the client is connected.
Also show us "tracert 192.168.44.X"(win) or "traceroute 192.168.44.X"(Mac) (X needs to be replaced with a real IP).

Toshi