We have been using the remote access SSL VPN for sometime. We were using a private WAN to connect our three sites together. Recently, we removed the WAN and setup a site-to-site IPsec VPN over the Internet. This has been working fine for a few weeks except today I noticed a problem. I cannot connect to resources over the IPsec VPN from the remote access web portal. We especially use the RDP option. I have been playing around with firewall rules and it all looks good. I now believe the problem is because the traffic is originating from the default MGMT IP (192.168.1.99). I know this because a sniffer reveals this:
49.628847 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478 50.622905 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478 52.623622 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478 56.635057 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478 64.667940 VPNInt out 192.168.1.99.3107 -> 10.30.16.18.3389: syn 3016459478 This seems to only apply to the web portal traversing over the IPsec VPN. If I remove anyone of those, it works fine. Does anyone know if it is possible to change the originating IP? Alternatively, I guess I could reconfigure this management IP to be inside our site ranges.
Three sites
Three FortiGates: 200E, 100E, 100E
All running 6.0.7
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
First, you're using web mode SSL VPN. If it's a tunnel mode with FortiClient, individual users have own source IP you set in a pool. Second, you don't seem to have an IP address configured on the tunnel interface "VPNInt". If you're using interface mode/route-base IPsec (phase1-interface/phase2-interface) you're supposed to set an IP on both ends of the tunnel. Then in this case, that IP would be used to access the remote resources over the tunnel.
You can find some example if you search with "FortiGate site-to-site VPN CLI configuration" on the internet. But it's so simple I'll explain it here: It's under "config sys int". After getting into "edit VPNInt", just run "show" to see what's configured now. Then add below to the existing config. Below IPs are just an example. You can change them to any private IP set. config sys interface edit VPNInt set ip 10.0.0.1 255.255.255.255 set allowaccess ping set remote-ip 10.0.0.2 255.255.255.255 next end You need to reverse "set ip" and "set remote-ip" on the other end obviously. Don't worry about /32 net-mask. Because these two /32s would be injected into the routing-table as "connected routes" separately. So they don't actually have to be in a /30 but better to be in in case the other side is not a FGT. GUI config exmaples often don't have this part of config, which I hate. Because it causes problems like yours and denying the biggest benefit of "interface mode/route-base" IPSec vs. "policy-base". You can treat it just like a regular interface on a router.
First, you're using web mode SSL VPN. If it's a tunnel mode with FortiClient, individual users have own source IP you set in a pool. Second, you don't seem to have an IP address configured on the tunnel interface "VPNInt". If you're using interface mode/route-base IPsec (phase1-interface/phase2-interface) you're supposed to set an IP on both ends of the tunnel. Then in this case, that IP would be used to access the remote resources over the tunnel.
Thanks mate. That makes sense. I don't recall reading about setting a IP in the tutorial. How is this done? Via standard CLI interface commands I assume. Can you point me in the direction of the doco?
You can find some example if you search with "FortiGate site-to-site VPN CLI configuration" on the internet. But it's so simple I'll explain it here: It's under "config sys int". After getting into "edit VPNInt", just run "show" to see what's configured now. Then add below to the existing config. Below IPs are just an example. You can change them to any private IP set. config sys interface edit VPNInt set ip 10.0.0.1 255.255.255.255 set allowaccess ping set remote-ip 10.0.0.2 255.255.255.255 next end You need to reverse "set ip" and "set remote-ip" on the other end obviously. Don't worry about /32 net-mask. Because these two /32s would be injected into the routing-table as "connected routes" separately. So they don't actually have to be in a /30 but better to be in in case the other side is not a FGT. GUI config exmaples often don't have this part of config, which I hate. Because it causes problems like yours and denying the biggest benefit of "interface mode/route-base" IPSec vs. "policy-base". You can treat it just like a regular interface on a router.
Thanks mate. Worked a treat.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1561 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.