Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎01-19-2007 12:00 AM

Article Id 193420

How to add access to remote resources via IPSec for your SSL-VPN users

Article
DescriptionAn SSL VPN is typically used to provide access to the local network behind the FortiGate unit. It is also possible, however, to provide SSL VPN clients with access to a remote network connected through an interface-based IPSec VPN.

This article describes how to add SSLVPN-to-IPSec VPN connectivity to an existing topology containing both SSL and IPSec VPNs.
ComponentsTwo FortiGate units, model unimportant.
Existing Topology There is an SSL-VPN on FortiGate A and an interface-based IPSec VPN between FortiGate A and FortiGate B, but the configuration does not permit communication between the SSL-VPN users and the internal network on FortiGate B.

For detailed information about configuring an SSL-VPN, see the SSL-VPN User Guide. For detailed information about configuring IPSec VPNs, see the IPSec VPN User Guide.

FortiGate A

FortiGate A provides, on its public interface, both an SSL VPN to its internal network and an IPsec VPN to the FortiGate B internal network.

Existing SSL-VPN   The FortiGate unit is configured to provide SSL-VPN access to the internal network for clients connecting through the public interface (WAN1, for example). SSL-VPN clients are assigned addresses in the range 192.168.2.40-45. The firewall policy for the SSL-VPN looks like this:
  • Source Interface: WAN1
  • Source Address: all
  • Destination Interface: Internal
  • Destination Address: Local_Subnet
     (local Internal network 192.168.1.0/24)
  • Action: SSL-VPN
Existing IPSec VPN   The FortiGate unit has an interface-based VPN to FortiGate B as follows:
  • Interface: WAN1
  • Virtual IPSec interface name: REMOTE

Firewall Policy 1

  • Source Interface: Internal
  • Source Address: Local_Subnet
     (local Internal network 192.168.1.0/24)
  • Destination Interface: REMOTE
  • Destination Address: FGT_B_Subnet
     (FortiGate B internal network 192.168.5.0/24)
  • Action: Accept
Firewall Policy 2
  • Source Interface: REMOTE
  • Source Address: FGT_B_Subnet
     (FortiGate B internal network 192.168.5.0/24)
  • Destination Interface: Internal
  • Destination Address: Local_Subnet
     (local Internal network 192.168.1.0/24)
  • Action: Accept
Routing   A static route directs traffic with destination addresses in the 192.168.5.0/24 subnet to the REMOTE interface.

FortiGate B

FortiGate B provides an IPSec VPN tunnel from its internal network to the FortiGate A VPN internal network, as follows:
  • Interface: WAN1
  • Virtual IPSec interface name: REMOTE_A

Firewall Policy

  • Source Interface: REMOTE_A
  • Source Address: FGT_A_Subnet
     (FortiGate A Internal network 192.168.1.0/24)
  • Destination Interface: Internal
  • Destination Address: FGT_B_Subnet
     (FortiGate B Internal network 192.168.5.0/24)
  • Action: Accept
There could be a second policy with Source and Destination reversed to allow hosts on the FortiGate B internal network to initiate connections to FortiGate A.

Routing   A static route directs traffic with destination addresses in the 192.168.1.0/24 subnet to the REMOTE_A interface.

Modify FortiGate A configuration You must add firewall policies to permit traffic between the IPSec VPN and the SSL-VPN clients.

Policy 1

  • Source Interface: REMOTE
  • Source Address: FGT_B_Subnet
     (FortiGate B Internal network 192.168.5.0/24)
  • Destination Interface: WAN1
  • Destination Address: SSL-VPN_Clients
     (SSL-VPN client addresses 192.168.2.40-45)
  • Action: Accept
Policy 2
  • Source Interface: WAN1
  • Source Address: all
  • Destination Interface: REMOTE
  • Destination Address: FGT_B_Subnet
     (FortiGate B Internal network 192.168.5.0/24)
  • Action: SSL-VPN

Routing   Add a static route to direct traffic with destination addresses in the 192.168.5.0/24 subnet to the REMOTE interface.

Modify FortiGate B configuration You must modify the firewall policy to also allow traffic from the SSL-VPN clients on FortiGate A to go to the local Internal network. Firewall policies permit multiple source or destination addresses. Simply add the SSL-VPN_Clients address to the policy. The firewall policy now looks like this:
  • Source Interface: REMOTE_A
  • Source Address: FGT_A_Subnet  SSL-VPN_Clients
     (FortiGate A Internal network 192.168.1.0/24)
     (SSL-VPN client addresses 192.168.2.40-45)
  • Destination Interface: Internal
  • Destination Address: FGT_B_Subnet
     (FortiGate B Internal network 192.168.5.0/24)
  • Action: Accept
If there is a policy for traffic in the opposite direction, also add the SSL-VPN_Clients address to its Destination Address field.

Routing   Add a static route to direct traffic with destination addresses in the 192.168.2.0/24 subnet to the REMOTE_A interface.


Labels:
13180
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.