Created on 01-19-2007 12:00 AM
Description | An SSL VPN is typically used to provide access to the local
network behind the FortiGate unit. It is also possible, however, to provide
SSL VPN clients with access to a remote network connected
through an interface-based IPSec VPN. This article describes how to add SSLVPN-to-IPSec VPN connectivity to an existing topology containing both SSL and IPSec VPNs. |
Components | Two FortiGate units, model unimportant. |
Existing Topology |
There is an SSL-VPN on FortiGate A and an interface-based
IPSec VPN between FortiGate A and FortiGate B, but the configuration does not
permit communication between the SSL-VPN users and the internal network on FortiGate B. For detailed information about configuring an SSL-VPN, see the SSL-VPN User Guide. For detailed information about configuring IPSec VPNs, see the IPSec VPN User Guide. FortiGate AFortiGate A provides, on its public interface, both an SSL VPN to its internal network and an IPsec VPN to the FortiGate B internal network. Existing SSL-VPN The FortiGate unit is configured to provide SSL-VPN access to the internal network for clients connecting through the public interface (WAN1, for example). SSL-VPN clients are assigned addresses in the range 192.168.2.40-45. The firewall policy for the SSL-VPN looks like this:
Firewall Policy 1
FortiGate BFortiGate B provides an IPSec VPN tunnel from its internal network to the FortiGate A VPN internal network, as follows:
Firewall Policy
Routing A static route directs traffic with destination addresses in the 192.168.1.0/24 subnet to the REMOTE_A interface. |
Modify FortiGate A configuration |
You must add firewall policies to permit traffic between the IPSec VPN
and the SSL-VPN clients. Policy 1
Routing Add a static route to direct traffic with destination addresses in the 192.168.5.0/24 subnet to the REMOTE interface. |
Modify FortiGate B configuration |
You must modify the firewall policy to also allow traffic from the SSL-VPN clients
on FortiGate A to go to the local Internal network. Firewall policies permit
multiple source or destination addresses. Simply add the SSL-VPN_Clients address
to the policy. The firewall policy now looks like this:
Routing Add a static route to direct traffic with destination addresses in the 192.168.2.0/24 subnet to the REMOTE_A interface. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.