FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mbanica
Staff
Staff
Article Id 191542
Description
This article explains how to allow traffic initiated by a SSL VPN user to a remote network via IPsec.
mbanica_FD37024_tn_FD37024-1.jpg

Scope
All FortiGates.

Solution
For SSL VPN users to be able to access the internal LAN on FGT1 these policies are mandatory :

5.0.x
config firewall policy
edit 0
        set srcintf "wan1"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "local_192.168.1.0/24"
        set action ssl-vpn
        set identity-based enable
        config identity-based-policy
                edit 1
                    set schedule "always"
                    set groups "Guest-group"
                    set service "ALL"
                    set sslvpn-portal "full-access"
                next
            end
    next

edit 0
        set srcintf "ssl.root"
        set dstintf "port1"
        set srcaddr "SSLVPN_TUNNEL"
        set dstaddr "local_192.168.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
    next

5.2.x
edit 0
        set srcintf "ssl.root"
        set dstintf "port1"
        set srcaddr "SSLVPN_TUNNEL"
        set dstaddr "local_192.168.1.0/24"
        set action accept
        set schedule "always"
        set groups "Guest-group"
        set service "ALL"
    next

"SSLVPN_TUNNEL" = 192.168.8.0/24

The Ipsec1 and 2 are Route-based IPsec tunnels because for this scenario the Route-based creates a virtual interface which can be selected in the policies and added to the static routes.

On FGT1

 - Existing policies for IPsec to access internal networks:
config firewall policy
edit 0
       set srcintf "Ipsec1"
        set dstintf "port1"
        set srcaddr "remote_10.10.1.0/24"
        set dstaddr "local_192.168.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"

edit 0
        set srcintf "port1"
        set dstintf "Ipsec1"
        set srcaddr "local_192.168.1.0/24"
        set dstaddr "remote_10.10.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"

 - Static route pointing to the remote lan 10.10.1.0/24:
config router static
edit 0
       set device Ipsec1
       set dst 10.10.1.0 255.255.255.0
next
end

To check if the routes are learnt:
# get router info routing-table database

For SSL VPN users to access remote LAN through IPsec these policies are needed:

1. For web mode:
config firewall policy
edit 0
        set srcintf "wan1"
        set dstintf "Ipsec1"
        set srcaddr "all"
        set dstaddr "remote_10.10.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
next

2. For tunnel mode:
edit 0
        set srcintf "ssl.root"
        set dstintf "Ipsec1"
        set srcaddr "SSLVPN_TUNNEL"
        set dstaddr "remote_10.10.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"

In 5.2 users/group of users must be selected in this policy.

On FGT2

 - Existing policies for IPsec to access internal networks with adjustments for SSL VPN access:
config firewall policy
edit 0
        set srcintf "Ipsec2"
        set dstintf "port2"
        set srcaddr "remote_192.168.1.0/24" "SSLVPN_TUNNEL"
        set dstaddr "local_10.10.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"

edit 0
        set srcintf "port2"
        set dstintf "Ipsec2"
        set srcaddr "local_10.10.1.0/24"
        set dstaddr "remote_192.168.1.0/24" "SSLVPN_TUNNEL"
        set action accept
        set schedule "always"
        set service "ALL"

 - Static routes:

config router static
edit 0
        set dst 192.168.1.0 255.255.255.0
        set device "Ipsec2"
next
edit 0
        set dst 192.168.8.0 255.255.255.0
        set device "Ipsec2"
next
end

Best practices

1. If more than one portal is configured with tunnel access, each portal must have unique IP range for clients (it should not overlap with internal or remote network subnets). All these IP pools must be selected in SSL settings.

5.2.x

 mbanica_FD37024_tn_FD37024-2.jpg

5.0.x

mbanica_FD37024_tn_FD37024-3.jpg

 2. basic troubleshooting:

Testing ping from SSL VPN client to a remote host with sniffer:
# diagnose sniffer packet any "host x.x.x.x and icmp" 4 0 a
or
# diagnose sniffer packet any "host x.x.x.x and icmp" 6 0 a

(converted into pcap file in wireshark)

Ctrl+C to stop the sniffer

where the host is either the IP of the SSL VPN client or the host on the remote network.

Testing with debug flow:

proto 1 = ICMP
proto 6 = TCP
proto 17 = UDP
# diag debug reset
# diag debug flow filter clear
# diag debug flow filter addr x.x.x.x
# diag debug flow filter proto 1
# diag debug flow show console enable
# diag debug flow show function-name enable
# diag debug console timestamp enable
# diag debug enable
# diag debug flow trace start 1000

(now start pinging)

# diag deb flow trace stop
# diag deb disable
# diag deb reset

Contributors