Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Somashekara_Hanumant
Staff
Staff

Created on ‎02-03-2020 05:51 AM Edited on ‎05-09-2023 09:43 PM By Community Manager

Article Id 194276

Technical Tip: Accessing IPSec remote resources via SSLVPN webmode

Description


This article explains how to access the IPSec remote resources via SSLVPN webportal.

Network topology:

SSLVPN Webmode <-> FotiGate1<- IPSec Tunnel -> FortiGate2<-> Internal LAN.

Solution
Configure IPSec Site-to-Site VPN on FortiGate1.



 
 

Configure IPSec Site-to-Site VPN on FortiGate1.

 

 
 
Configuring SSLVPN webportal.
 
 
 
Configure a local user under User&Devices.
In this example 'ssl-user' is configured.

Configuring SSLVPN settings.
 
 
 
Firewall policy configuration.
 
 
IPSec VPN configuration on FortiGate2.
 
 
IP address configuration on IPSec interface.
 
 
After adding the phase 2 selector with sslvpn address as a remote address we need to add a static route on FGT 2. 
The destination will be the remote subnet and the interface will the IPSEC tunnel which was created before.
 
Capture.PNG

 

SSLVPN subnet also need to be part of the IPsec phase 2 selector as well as your SSLVPN to IPsec policies.
Firewall policy configuration from IPsec tunnel to LAN in FGT2.
In the source add the SSLVPN subnet along with remote subnet given:
 
sshhy.PNG

 

 
'ssl-user' now will log to sslvpn web portal and try to access 'https' book which is pointing to http://10.40.9.78 (web server)

From the below debug logs the packet flow can be processed:
# Diag debug reset
# Diag debug disable
# Diag debug flow filter addr 10.40.9.78
#Diag debug flow filter dport 80
# Diag debug flow trace start 400
# Diag debug enable
The source address as 20.20.20.20 which is ipsec vpn interface, if the interface IP address IPSec is not configured it will take the management interface IP address, if that IP range is not added in phase2 quick mode selectors we will get the error message 'No matching IPsec selector, drop'.
id=20085 trace_id=897 func=print_pkt_detail line=5430 msg="vd-root:0 received a packet(proto=6, 20.20.20.20:19759->10.40.9.78:80) from local. flag [S], seq 1114552580, ack 0, win 65535"
id=20085 trace_id=897 func=init_ip_session_common line=5595 msg="allocate a new session-000f4075"
id=20085 trace_id=897 func=ipsecdev_hard_start_xmit line=759 msg="enter IPsec interface-ipsec"
id=20085 trace_id=897 func=esp_output4 line=904 msg="IPsec encrypt/auth"
id=20085 trace_id=897 func=ipsec_output_finish line=622 msg="send to 10.5.22.168 via intf-port1"
Labels:
3489
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.