Reaching VLAN over SSL VPN on a different firewall

Pkay983 · ‎09-25-2023

Hello,

we have the following constellation:

Location 1 -> Fortigate 200

Location 2 -> Fortigate 200

IPSEC VPN between for routing traffic from vlan 72 location 1 to vlan 73 location 2

This works well.

Now our colleagues want to use ssl vpn from home to get also access to vlan 72 in location one and vlan 73 in location two.

I configured ssl vpn on location 1 fortigate and it works for getting access to vlan 72. I also setup a policy to vlan 73 but didn't worked so far.

Any idea or is this technically not possible and I need to configure a second ssl vpn on location 2 firewall?

Thanks for you help :)

mle2802 · ‎09-27-2023

Hi @Pkay983,

On location 2, packet arrived on VPN tunnel but it dropped on policy 0 which means there is no policy allow traffic. Can you please check there is policy allow 192.168.111.1 from "vpn-to-loc1" to 192.168.2.1 on local interface?

Regards,
Minh

View solution in original post

sjoshi · ‎09-25-2023

Dear Pkay983,

Please share below output and initiate the traffic

diag sniff packet any 'host x.x.x.x and icmp' 4 0 l >> where x.x.x.x is the dst IP

Collect the flow debug too

https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/54688/debugging-the-packet-flow

Salon Raj Joshi
Fortinet Certified Expert (FCX) | #NSE8-003459

Pkay983 · ‎09-26-2023

SSL VPN Pool: 192.168.111.0/24

Subnet Location 2: 192.168.2.0/24

Fortigate Location 1:

2023-09-26 09:12:47.011276 ssl.root in 192.168.111.1 -> 192.168.2.1: icmp: echo request
2023-09-26 09:12:47.011285 vpn-to-loc2 out 192.168.111.1 -> 192.168.2.1: icmp: echo request

Fortigate Location 2:

2023-09-26 09:13:07.019100 vpn-to-loc1 in 192.168.111.1 -> 192.168.2.1: icmp: echo request
2023-09-26 09:13:12.022161 vpn-to-loc1 in 192.168.111.1 -> 192.168.2.1: icmp: echo request
2023-09-26 09:13:17.027890 vpn-to-loc1 in 192.168.111.1 -> 192.168.2.1: icmp: echo request

mgoswami · ‎09-25-2023

Hi,

Yes, it is possible to configure SSL VPN to IPSec VPN. You may refer to this link for the same:

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/45836/ssl-vpn-to-ipsec-vpn#:....

BR,

Manosh

Pkay983 · ‎09-26-2023

I guess I did it right... the only difference is, that I use:

IPSEC Phase 2:

local Address Subnet 0.0.0.0 / 0.0.0.0

Remote Address Subnet 0.0.0.0 / 0.0.0.0

I also added a static route from the location 2 firewall to the ssl vpn pool... but didn't work.

from diag sniffer it looks like its going through the ipsec tunnel but not back

hbac · ‎09-26-2023

Hi @Pkay983,

Please run the debug flow on both FortiGates to see where the traffic is being dropped. https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/54688/debugging-the-packet-f...

Regards,

Pkay983 · ‎09-26-2023

Thanks for your replies :)

Location 1:

FW_Loc1 # id=20085 trace_id=26 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=1, 192.168.111.1:1->192.168.2.1:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=8000."
id=20085 trace_id=26 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-6689a1bc, original direction"
id=20085 trace_id=26 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-XXXIPLOC2XXX via vpn-to-loc2"
id=20085 trace_id=26 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface vpn-to-loc2, tun_id=0.0.0.0"
id=20085 trace_id=26 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel vpn-to-loc2"
id=20085 trace_id=26 func=esp_output4 line=844 msg="IPsec encrypt/auth"
id=20085 trace_id=26 func=ipsec_output_finish line=544 msg="send to xxx.xxx.xxx.xxx via intf-vlan-42"
id=20085 trace_id=27 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=1, 192.168.111.1:1->192.168.2.1:2048) tun_id=0.0.0.0 from ssl.root. type=8, code=0, id=1, seq=8005."

Location 2

id=20085 trace_id=6 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=1, 192.168.111.1:1->192.168.2.1:2048) tun_id=XXXIPLOC1XXX from vpn-to-loc1. type=8, code=0, id=1, seq=7988."
id=20085 trace_id=6 func=init_ip_session_common line=6023 msg="allocate a new session-021f4f6a, tun_id=141.73.50.132"
id=20085 trace_id=6 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-192.168.2.1 via root"
id=20085 trace_id=6 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"
id=20085 trace_id=7 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=1, 192.168.111.1:1->192.168.2.1:2048) tun_id=XXXIPLOC1XXX from vpn-to-loc1. type=8, code=0, id=1, seq=7989.

mle2802 · ‎09-27-2023

Hi @Pkay983,

On location 2, packet arrived on VPN tunnel but it dropped on policy 0 which means there is no policy allow traffic. Can you please check there is policy allow 192.168.111.1 from "vpn-to-loc1" to 192.168.2.1 on local interface?

Regards,
Minh

Pkay983 · ‎09-27-2023

There was a policy, but I added it with the FortiManager... I deleted it and added it again direct on the forti and this did the trick.

Well thanks @All for the hints.

Well done :)

mle2802 · ‎09-26-2023

Hi @Pkay983.

Did you have the route to the new SSL VPN subnet on the remote site? Please also check on both side if there are bi-directional policy to allow this flow of traffic.

Regards,
Minh

Reaching VLAN over SSL VPN on a different firewall

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website