- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: routing to subnet behind sslvpn client
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
routing to subnet behind sslvpn client
I have a partially working SSLVPN setup between 2 fortinets.
The tunnel itself comes up fine.
What I'd like to be able to do, is route packets from/through the main router, to a subnet that is BEHIND the client.
eg:
desktop -> MainFGT <-VPNSSL <- subFGT = officesubnet
and I want "desktop" and "officesubnet" to be able to communicate.
packet capture on MainFGT says that packets for "officesubnet" enter the virtual
SSL-VPN(ssl.root) interface...
but they dont seem to emerge on the "subFGT" router.
I've tried adding a static route for the subnet to the IP address that subFGT gets assigned for the tunnel..
but the route table always zeros out the Gateway IP to 0.0.0.0
Can anyone help me out with this?
Labels:
- Labels:
-
FortiGate
24 REPLIES 24
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
would still be helpful, for internal "documentation" purposes.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what I did was just searching "fortigate as sslvpn client", then found this:
https://community.fortinet.com/t5/Support-Forum/Fortigate-as-SSL-VPN-Client-Reverse-Path-routing-pos...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now that I think about it, check the NSE4 material. It has a section about Fortigate as an IPsec client and having devices behind it. Maybe there's a good answer in that training.
FCSS SDWAN EFW
FCSS SDWAN EFW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no, ipsec client configs result in normal devices, with normal IP addresses assigned to the virtual device on each side.
VPNSSL is... odd. I dont understand it fully. Hence why i'm here.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should have all of the info you need:
Cheers,
Graham
Graham
Created on
05-04-2023
12:35 PM
Edited on
05-05-2023
01:30 AM
By
Stephen_G
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Graham,
unfortunately, that does not help me.
I already have a working sslvpn connection. I was asking about routing to the client.
That doc only addresses routing to the server side.
As I mentioned,
What I'd like to be able to do, is route packets from/through the main router, to a subnet that is BEHIND the client.
Created on
05-04-2023
01:08 PM
Edited on
05-05-2023
01:32 AM
By
Stephen_G
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As the document states:
"The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type. When an SSL VPN client connection is established, the client dynamically adds a route to the subnets that are returned by the SSL VPN server. Policies can be defined to allow users that are behind the client to be tunneled through SSL VPN to destinations on the SSL VPN server."
It makes no mention of allowing the reverse traffic initiated from behind the VPN Server to be able to reach endpoints behind the client.
You are free to try manipulating routes and FW policies and seeing if it can work. You are also free to try creating a second SSL VPN connection in the reverse directly to see if that can work for you (doubtful). Unfortunately, if you do get it working I doubt it would be supported by TAC.
at the end of the day the functionality is not meant to work this way.
It's the same as having a home user connect to the VPN using their PC. There's no way to route to that user's home network through the PC. It's not the intended purpose of the SSL VPN Client/Server relationship.
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gfleming wrote:....
It makes no mention of allowing the reverse traffic initiated from behind the VPN Server to be able to reach endpoints behind the client.
....
It's the same as having a home user connect to the VPN using their PC. There's no way to route to that user's home network through the PC. It's not the intended purpose of the SSL VPN Client/Server relationship.
It doesnt say it cant be done. However, neither does it explicitly say it cannot be done.
But it seems that is the case.
as far as "home user" and dialup VPN...
I've been using dialup VPN for decades
In every situation I've been in up until now, so long as you controlled the machines at both sides of the tunnel, there was a way to do routing back through to the dialup side.
And in fact, Fortinet supports one-way dialup VPN site-to-site routing ALREADY.
We use it right now, with fortinet-to-fortinet IPsec.
I thought that it would then be logical to presume I could take the same two routers, that are already working in a HUB+dialup VPN configuration using IPsec, and just switch them over to using dialup SSLVPN as the transport.
Silly me for thinking Fortinet would be consistent.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Those IPsec tunnel options are at L3 layer. That's why it works to route subnets through the "node" (not a client). SSL VPN on the other hand works at Application layer. That's not so easy to route L3 protocol through it. For that regards, FortiGate is I think very consistent, or predictable.
If you can find a device that works as you want, please let us know. at least I'm very interested in personally. Most likely that would be a server/VM based software-based FW, not a chassis-based.
Toshi
Created on 05-04-2023 03:09 PM Edited on 05-04-2023 03:21 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you ask: yes I know of at least one solution that works in our exact location and situation:
OpenVPN.
Its mostly thought of as a server-base solution, and its how we will have to use it.
But there are a few routers that can handle being openvpn clients directly.
I was hoping for a solution that could be used directly from our existing fortinet router. Disappointing.
PS: while sslvpn TRANSPORT is at application layer... that doesnt matter.
openvpn uses effectively application layer as well, I think?
But it exposes its vdev interfaces so you can do routing with it and through it.
fortinet does not.
Boo, fortinet.
Related Posts
- Force the routing of a domain... 65 Views
- SSLVPN client certs and radius 165 Views
- IPSec client is blocked by implicit... 389 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 250 Views
- User Getting The server you want... 215 Views
Labels
-
FortiGate
6,507 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
71 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.