Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RegGel
New Contributor

Created on ‎09-01-2022 06:50 AM

SSL VPN traffic problem with IPsec VPN to Azure VWAN

Hi All,

 

I have setup an IPsec VPN to Azure VWAN based on the FortiNet Cookbook article. 

Cookbook | FortiGate / FortiOS 6.2.11 | Fortinet Documentation Library

 

It is working, and BGP is Advertising routes from the Internal LAN to Azure and vice versa.

 

My problem is that, when connecting to the FortiGate using the SSL VPN, I cannot use services hosted in Azure. Azure does not have a route back to my VPN IP range. I assume this is because the VPN pool is not considered an Internal Network.

 

I think the way to solve this is to create a new VLAN on the LAN side (which will be advertised via BGP) and use NAT from the VPN Pool to the LAN network.

 

Is this the correct approach to solve this problem? If so, could someone point me in the correct direction as to how to do this?

 

Regards,

Rob.

Labels:
2489
0 Kudos
1 Solution
akumarr
Staff
Staff

Created on ‎09-01-2022 08:27 AM

Dear Rob.

Hope you are doing well.
So basically you are unable to access the AZURE lan subnet from the fortigate SSL VPN users?

Could you please try the below and check if this helps?

Create a policy From Fortigate SSL VPN interface(As incoming interface) to AZUER VPN interface(As outgoing interface) , allow source ,destination and services.
Enable the NAT and create a dynamic address (You can use your fortigate LAN address as NAT address) and save the policy.

After that try to access the azure LAN site.

The above policy basically sends the packet with Fortigate LAN address as the source, and since the AZure already has a route to reach the Fortigate LAN the traffic will be routed back.

Please let me know if you have any queries.

Best regards,
ARUNKUMAR.R.

View solution in original post

2475
2 REPLIES 2
akumarr
Staff
Staff

Created on ‎09-01-2022 08:27 AM

Dear Rob.

Hope you are doing well.
So basically you are unable to access the AZURE lan subnet from the fortigate SSL VPN users?

Could you please try the below and check if this helps?

Create a policy From Fortigate SSL VPN interface(As incoming interface) to AZUER VPN interface(As outgoing interface) , allow source ,destination and services.
Enable the NAT and create a dynamic address (You can use your fortigate LAN address as NAT address) and save the policy.

After that try to access the azure LAN site.

The above policy basically sends the packet with Fortigate LAN address as the source, and since the AZure already has a route to reach the Fortigate LAN the traffic will be routed back.

Please let me know if you have any queries.

Best regards,
ARUNKUMAR.R.
2476
RegGel
New Contributor
In response to akumarr

Created on ‎09-02-2022 02:35 AM

Thank you ever so much. That worked perfectly.

2462
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.