Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Web portal traffic coming from MGMT port when ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Web portal traffic coming from MGMT port when traversing PtP IPsec VPN
We have been using the remote access SSL VPN for sometime. We were using a private WAN to connect our three sites together. Recently, we removed the WAN and setup a site-to-site IPsec VPN over the Internet. This has been working fine for a few weeks except today I noticed a problem. I cannot connect to resources over the IPsec VPN from the remote access web portal. We especially use the RDP option. I have been playing around with firewall rules and it all looks good. I now believe the problem is because the traffic is originating from the default MGMT IP (192.168.1.99). I know this because a sniffer reveals this:
49.628847 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478 50.622905 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478 52.623622 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478 56.635057 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478 64.667940 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478 This seems to only apply to the web portal traversing over the IPsec VPN. If I remove anyone of those, it works fine. Does anyone know if it is possible to change the originating IP? Alternatively, I guess I could reconfigure this management IP to be inside our site ranges.
Three sites
Three FortiGates: 200E, 100E, 100E
All running 6.0.7
Solved! Go to Solution.
Labels:
- Labels:
-
6.0
3874
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, you're using web mode SSL VPN. If it's a tunnel mode with FortiClient, individual users have own source IP you set in a pool. Second, you don't seem to have an IP address configured on the tunnel interface "VPNInt". If you're using interface mode/route-base IPsec (phase1-interface/phase2-interface) you're supposed to set an IP on both ends of the tunnel. Then in this case, that IP would be used to access the remote resources over the tunnel.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can find some example if you search with "FortiGate site-to-site VPN CLI configuration" on the internet. But it's so simple I'll explain it here: It's under "config sys int". After getting into "edit VPNInt", just run "show" to see what's configured now. Then add below to the existing config. Below IPs are just an example. You can change them to any private IP set. config sys interface edit VPNInt set ip 10.0.0.1 255.255.255.255 set allowaccess ping set remote-ip 10.0.0.2 255.255.255.255 next end You need to reverse "set ip" and "set remote-ip" on the other end obviously. Don't worry about /32 net-mask. Because these two /32s would be injected into the routing-table as "connected routes" separately. So they don't actually have to be in a /30 but better to be in in case the other side is not a FGT. GUI config exmaples often don't have this part of config, which I hate. Because it causes problems like yours and denying the biggest benefit of "interface mode/route-base" IPSec vs. "policy-base". You can treat it just like a regular interface on a router.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, you're using web mode SSL VPN. If it's a tunnel mode with FortiClient, individual users have own source IP you set in a pool. Second, you don't seem to have an IP address configured on the tunnel interface "VPNInt". If you're using interface mode/route-base IPsec (phase1-interface/phase2-interface) you're supposed to set an IP on both ends of the tunnel. Then in this case, that IP would be used to access the remote resources over the tunnel.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks mate. That makes sense. I don't recall reading about setting a IP in the tutorial. How is this done? Via standard CLI interface commands I assume. Can you point me in the direction of the doco?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can find some example if you search with "FortiGate site-to-site VPN CLI configuration" on the internet. But it's so simple I'll explain it here: It's under "config sys int". After getting into "edit VPNInt", just run "show" to see what's configured now. Then add below to the existing config. Below IPs are just an example. You can change them to any private IP set. config sys interface edit VPNInt set ip 10.0.0.1 255.255.255.255 set allowaccess ping set remote-ip 10.0.0.2 255.255.255.255 next end You need to reverse "set ip" and "set remote-ip" on the other end obviously. Don't worry about /32 net-mask. Because these two /32s would be injected into the routing-table as "connected routes" separately. So they don't actually have to be in a /30 but better to be in in case the other side is not a FGT. GUI config exmaples often don't have this part of config, which I hate. Because it causes problems like yours and denying the biggest benefit of "interface mode/route-base" IPSec vs. "policy-base". You can treat it just like a regular interface on a router.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks mate. Worked a treat.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortigate not showing Deny logs 513 Views
- SSLVPN on VDOM 821 Views
- IPsec tunnel initiating on the outside... 122 Views
- Using Fortigate under AWS for SIP... 959 Views
- Device group policy is not working 242 Views
Labels
-
FortiGate
8,486 -
FortiClient
1,719 -
5.2
801 -
FortiManager
713 -
5.4
639 -
FortiAnalyzer
548 -
FortiAP
460 -
FortiSwitch
458 -
6.0
416 -
FortiClient EMS
408 -
5.6
362 -
FortiMail
309 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
200 -
5.0
196 -
IPsec
186 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
39 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.