Technical Tip: How to route traffic from FortiClient through a VPN Site to Site

ojacinto · ‎09-07-2015

Description

This article describes how to configure routing and permissions on FortiGate to allow the communication from the SSL VPN FortiClient to reach a Remote LAN through a VPN Site to Site.

Scope

FortiGate and FortiClient.

Solution

After the SSL VPN connection has been established, it is necessary to create a phase2 on the VPN site to site to allow the communication from the pool of the SSL VPN configured for the FortiClient to the remote LAN on the second FortiGate.

This configuration has to be established on both FortiGates of the VPN site to site connection.

First FortiGate

FG80CM3914601321 (VPN_forti2) # show full-configuration

config vpn ipsec phase2-interface
    edit "VPN_forti2"
        set auto-negotiate enable
        set comments ''
        set dst-addr-type subnet
        set dst-port 0
        set encapsulation tunnel-mode
        set keepalive enable
        set keylife-type seconds
        set pfs disable
        set phase1name "VPNForti"
        set proposal 3des-sha1
        set protocol 0
        set replay enable
        set src-addr-type subnet
        set src-port 0
        set dst-subnet 192.168.1.0 255.255.255.0        >>>>>> Remote LAN
        set keylifeseconds 3600
        set src-subnet 192.168.100.0 255.255.255.0    >>>>>> Local LAN (pool ssl VPN)
    next
end

Firewall policy

FG80CM3914601321 # config firewall policy
FG80CM3914601321 (policy) # edit 15
FG80CM3914601321 (15) # show
config firewall policy
    edit 15
        set srcintf "ssl.root"
        set dstintf "VPNForti"
        set srcaddr "poolvpn"
        set dstaddr "Remote_LAN"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Second FortiGate

FG80CM3914601323 (phase2-interface) # edit VPN_FORTI2

FG80CM3914601323 (VPN_FORTI2) # show full-configuration
config vpn ipsec phase2-interface
    edit "VPN_FORTI2"
        set phase1name "VPN_FORTI"
        set proposal 3des-sha1
        set pfs disable
        set replay enable
        set keepalive enable
        set auto-negotiate enable
        set keylife-type seconds
        set encapsulation tunnel-mode
        set comments ''
        set protocol 0
        set src-addr-type subnet
        set src-port 0
        set dst-addr-type subnet
        set dst-port 0
        set keylifeseconds 3600
        set src-subnet 192.168.1.0 255.255.255.0         >>>>>>>> LAN on the second Fortigate
        set dst-subnet 192.168.100.0 255.255.255.0     >>>>>>>> pool of ssl vpn
    next
end

Firewall policy

FG80CM3914601323 # config firewall policy

FG80CM3914601323 (policy) # edit 4

FG80CM3914601323 (4) # show
config firewall policy
    edit 4
        set srcintf "VPN_FORTI"
        set dstintf "internal"
        set srcaddr "pool_VPN1"
        set dstaddr "VPN_FORTI_local"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "VPN: VPN_FORTI (Created by VPN wizard)"
    next
end

Test of communication

From the PC connected to the FortiClient with the IP 192.168.100.1 (pool of the SSL VPN) to the remote IP 192.168.1.99.

FortiGate1

FG80CM3914601321 # diagnose sniffer packet any 'host 192.168.100.1 and icmp' 4
interfaces=[any]
filters=[host 192.168.100.1 and icmp]
45.162715 ssl.root in 192.168.100.1 -> 192.168.1.99: icmp: echo request
45.162810 VPNForti out 192.168.100.1 -> 192.168.1.99: icmp: echo request
45.163373 VPNForti in 192.168.1.99 -> 192.168.100.1: icmp: echo reply
45.163495 ssl.root out 192.168.1.99 -> 192.168.100.1: icmp: echo reply
46.167723 ssl.root in 192.168.100.1 -> 192.168.1.99: icmp: echo request
46.167742 VPNForti out 192.168.100.1 -> 192.168.1.99: icmp: echo request
46.168210 VPNForti in 192.168.1.99 -> 192.168.100.1: icmp: echo reply
46.168277 ssl.root out 192.168.1.99 -> 192.168.100.1: icmp: echo reply
47.175292 ssl.root in 192.168.100.1 -> 192.168.1.99: icmp: echo request
47.175312 VPNForti out 192.168.100.1 -> 192.168.1.99: icmp: echo request
47.175776 VPNForti in 192.168.1.99 -> 192.168.100.1: icmp: echo reply
47.175845 ssl.root out 192.168.1.99 -> 192.168.100.1: icmp: echo reply
48.185852 ssl.root in 192.168.100.1 -> 192.168.1.99: icmp: echo request
48.185872 VPNForti out 192.168.100.1 -> 192.168.1.99: icmp: echo request
48.186336 VPNForti in 192.168.1.99 -> 192.168.100.1: icmp: echo reply
48.186404 ssl.root out 192.168.1.99 -> 192.168.100.1: icmp: echo reply

FortiGate2

FG80CM3914601323 # diagnose sniffer packet any 'host 192.168.100.1 and icmp' 4
interfaces=[any]
filters=[host 192.168.100.1 and icmp]
2.209624 VPN_FORTI in 192.168.100.1 -> 192.168.1.99: icmp: echo request
2.209792 VPN_FORTI out 192.168.1.99 -> 192.168.100.1: icmp: echo reply
3.214933 VPN_FORTI in 192.168.100.1 -> 192.168.1.99: icmp: echo request
3.215024 VPN_FORTI out 192.168.1.99 -> 192.168.100.1: icmp: echo reply
4.221116 VPN_FORTI in 192.168.100.1 -> 192.168.1.99: icmp: echo request
4.221221 VPN_FORTI out 192.168.1.99 -> 192.168.100.1: icmp: echo reply
5.231420 VPN_FORTI in 192.168.100.1 -> 192.168.1.99: icmp: echo request
5.231513 VPN_FORTI out 192.168.1.99 -> 192.168.100.1: icmp: echo reply

The communication from the PC is routed from the ssl.root interface on the FortiGate1 to the VPN interface (VPNForti) after that the packets reach the second FortiGate by the VPN (VPN_FORTI) and finally the communication is completed.