Description
This article describes how to configure routing and permissions on FortiGate to allow the communication from the SSL VPN FortiClient to reach a Remote LAN through a VPN Site to Site.
Scope
FortiGate and FortiClient.
Solution
After the SSL VPN connection has been established, it is necessary to create a phase2 on the VPN site to site to allow the communication from the pool of the SSL VPN configured for the FortiClient to the remote LAN on the second FortiGate.
This configuration has to be established on both FortiGates of the VPN site to site connection.
First FortiGate
FG80CM3914601321 (VPN_forti2) # show full-configuration
config vpn ipsec phase2-interface
edit "VPN_forti2"
set auto-negotiate enable
set comments ''
set dst-addr-type subnet
set dst-port 0
set encapsulation tunnel-mode
set keepalive enable
set keylife-type seconds
set pfs disable
set phase1name "VPNForti"
set proposal 3des-sha1
set protocol 0
set replay enable
set src-addr-type subnet
set src-port 0
set dst-subnet 192.168.1.0 255.255.255.0 >>>>>> Remote LAN
set keylifeseconds 3600
set src-subnet 192.168.100.0 255.255.255.0 >>>>>> Local LAN (pool ssl VPN)
next
end
Firewall policy
FG80CM3914601321 # config firewall policy
FG80CM3914601321 (policy) # edit 15
FG80CM3914601321 (15) # show
config firewall policy
edit 15
set srcintf "ssl.root"
set dstintf "VPNForti"
set srcaddr "poolvpn"
set dstaddr "Remote_LAN"
set action accept
set schedule "always"
set service "ALL"
next
end
Second FortiGate
FG80CM3914601323 (phase2-interface) # edit VPN_FORTI2
FG80CM3914601323 (VPN_FORTI2) # show full-configuration
config vpn ipsec phase2-interface
edit "VPN_FORTI2"
set phase1name "VPN_FORTI"
set proposal 3des-sha1
set pfs disable
set replay enable
set keepalive enable
set auto-negotiate enable
set keylife-type seconds
set encapsulation tunnel-mode
set comments ''
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 3600
set src-subnet 192.168.1.0 255.255.255.0 >>>>>>>> LAN on the second Fortigate
set dst-subnet 192.168.100.0 255.255.255.0 >>>>>>>> pool of ssl vpn
next
end
Firewall policy
FG80CM3914601323 # config firewall policy
FG80CM3914601323 (policy) # edit 4
FG80CM3914601323 (4) # show
config firewall policy
edit 4
set srcintf "VPN_FORTI"
set dstintf "internal"
set srcaddr "pool_VPN1"
set dstaddr "VPN_FORTI_local"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: VPN_FORTI (Created by VPN wizard)"
next
end
Test of communication
From the PC connected to the FortiClient with the IP 192.168.100.1 (pool of the SSL VPN) to the remote IP 192.168.1.99.
FortiGate1
FG80CM3914601321 # diagnose sniffer packet any 'host 192.168.100.1 and icmp' 4
interfaces=[any]
filters=[host 192.168.100.1 and icmp]
45.162715 ssl.root in 192.168.100.1 -> 192.168.1.99: icmp: echo request
45.162810 VPNForti out 192.168.100.1 -> 192.168.1.99: icmp: echo request
45.163373 VPNForti in 192.168.1.99 -> 192.168.100.1: icmp: echo reply
45.163495 ssl.root out 192.168.1.99 -> 192.168.100.1: icmp: echo reply
46.167723 ssl.root in 192.168.100.1 -> 192.168.1.99: icmp: echo request
46.167742 VPNForti out 192.168.100.1 -> 192.168.1.99: icmp: echo request
46.168210 VPNForti in 192.168.1.99 -> 192.168.100.1: icmp: echo reply
46.168277 ssl.root out 192.168.1.99 -> 192.168.100.1: icmp: echo reply
47.175292 ssl.root in 192.168.100.1 -> 192.168.1.99: icmp: echo request
47.175312 VPNForti out 192.168.100.1 -> 192.168.1.99: icmp: echo request
47.175776 VPNForti in 192.168.1.99 -> 192.168.100.1: icmp: echo reply
47.175845 ssl.root out 192.168.1.99 -> 192.168.100.1: icmp: echo reply
48.185852 ssl.root in 192.168.100.1 -> 192.168.1.99: icmp: echo request
48.185872 VPNForti out 192.168.100.1 -> 192.168.1.99: icmp: echo request
48.186336 VPNForti in 192.168.1.99 -> 192.168.100.1: icmp: echo reply
48.186404 ssl.root out 192.168.1.99 -> 192.168.100.1: icmp: echo reply
FortiGate2
FG80CM3914601323 # diagnose sniffer packet any 'host 192.168.100.1 and icmp' 4
interfaces=[any]
filters=[host 192.168.100.1 and icmp]
2.209624 VPN_FORTI in 192.168.100.1 -> 192.168.1.99: icmp: echo request
2.209792 VPN_FORTI out 192.168.1.99 -> 192.168.100.1: icmp: echo reply
3.214933 VPN_FORTI in 192.168.100.1 -> 192.168.1.99: icmp: echo request
3.215024 VPN_FORTI out 192.168.1.99 -> 192.168.100.1: icmp: echo reply
4.221116 VPN_FORTI in 192.168.100.1 -> 192.168.1.99: icmp: echo request
4.221221 VPN_FORTI out 192.168.1.99 -> 192.168.100.1: icmp: echo reply
5.231420 VPN_FORTI in 192.168.100.1 -> 192.168.1.99: icmp: echo request
5.231513 VPN_FORTI out 192.168.1.99 -> 192.168.100.1: icmp: echo reply
The communication from the PC is routed from the ssl.root interface on the FortiGate1 to the VPN interface (VPNForti) after that the packets reach the second FortiGate by the VPN (VPN_FORTI) and finally the communication is completed.
Related Articles
Technical Note: FortiGate SSL VPN in tunnel mode with split-tunneling - configuration and verificati...
How to configure VPN for multiple subnets?