FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
preetisingh
Staff
Staff

Description

 

This article describes how to let the SSL-VPN user access remote resources over an existing IPsec VPN tunnel.
 
Scope
 
FortiGate v5.2, FortiGate v5.4.


Solution

 

Network Topology:

LAN B ----- Remote Firewall B ----- IPsec VPN tunnel ----- FortiGate A ----- LAN A
(192.168.1.0/24)                                                 (172.27.16.0.0/24)

FortiGate A (wan)------------------------SSL VPN user (ip range  10.100.100.1- 10.100.100.14)


There is an SSL-VPN on FortiGate A and interface based IPsec VPN between FortiGate B and Remote Firewall A.

 

- For SSL-VPN configuration refer to the SSL VPN user guide.

 

- For Site to site IPsec VPN, refer to the IPSEC VPN user guide.


FortiGate A Configuration:

Existing SSL VPN configuration:
 

- SSL VPN users are assigned addresses from pol 10.100.100.1 - 10.100.100.14.

 

- If split tunnel is enabled, make sure that LAN B subnet (192.168.1.0/24) is access list.

 

- If the SSL user wants to access the internal DNS on the remote side of IPSec tunnel for internal DNS resolution add the DNS server IP. Can be added by CLI or by GUI as shown below:

    - By CLI:

 

# config vpn ssl settings

    set dns-server1 192.168.1.x  <- Address of remote DNS Server

 

    - By GUI:

 


kb.png
 
Existing IPsec VPN configuration:

 

- Virtual IPSec interface name: ipsec-vpn.

 

- Add additional phase 2 traffic selector.

 

Local : 10.1000.100.0/28

Remote : 192.168.1.0/24


Firewall policy
Source Interface: ssl.root           ---------  SSL VPN interface
Source Address: SSL_VPN_address      ---------  SSL VPN client IP pool (10.100.100.0/28)
Destination Interface: ipsec-vpn     ---------  VPN interface
Destination Address: FGT_B_Subnet    --------- 192.168.1.0/24

(FortiGate B internal network 192.168.1.0/24)

Action: Accept

 

 

FortiGate B Configuration:


Existing IPsec VPN configuration: 

 

- Virtual IPSec interface name: FortigateB-vpn.

 

- Add additional phase 2 traffic selector.

 

Local : 192.168.1.0/24
Remote : 10.100.100.0/28

 

Firewall policy

Source Interface:  FortigateB-vpn    ---------  SSL VPN interface
Source Address: Remote-Subnet        ---------  SSL VPN client IP pool (10.100.100.0/28)
Destination Interface: lan           ---------  Lan interface
Destination Address: LAN_Subnet      ---------  192.168.1.0/24
(FortiGate B internal network 192.168.1.0/24)
Action: Accept