Wednesday, April 22, 2015

How to Allow traffic from ssl-vpn to enter ipsec tunnel on fortigate on the same interface

Hi All,
This is my first post in this new blog, where I'm going to publish interesting news and solutions to some select information security problems.

This will be a scenario where I had to configure a fortigate to allow SSL VPN users to access a subnet located over an IPSec VPN tunnel connected to the same interface of the fortigate.

Something like this.


I did not want to spend too much time on this diagram, but hopefully you've got the idea.

I will not explain here how to set up your IPSec tunnel or SSL VPN - there are tons of documentation on how  to do it.
I'll just show a tricky part here.


These are the all rules I have on the fortigate so far (I removed irrelevant rules so you would not be confused).
We are interested in Local_LAN subnet (left subnet on the diagram) and Data_Centre subnet (the right one)

SSL VPN user connects to the Office Fortigate WAN1 interface.

Rule 1 - allows local_lan users to connect to the data centre,
Rule 4 allows local_lan users to connect to the internet.
Rule 6 - allows SSL VPN users to connect to Local_Lan

Here comes the tricky part:
You need rule 7 first to push route to the Data_Centre to SSL VPN client.
After you created this rule - you need to make sure to reconnect SSL VPN client. On the client you can check routes ("route print" command on windows) and you should see your Data_Centre subnet among the routes. You will never see any packet count on this rule, but without it - nothing will work.

Rule 5 is actually sends packets from ssl vpn into IPSec tunnel.

Two remarks:
In my case SSL VPN clients get IP address from the same subnet as the Local_Lan, that's why rule5 says Local_LAN->Data_Centre. If you have separate subnet for your SSL VPN users - change it accordingly

When recreating the rules:
- you need 1 rule from wan1 to wan1 to push the route
- 1 rule from ssl.root to wan1 to get packets to remote-over-ipsec-vpn-network
-1 rule from wan1 to local_lan to allow local lan access (but i assume it is already done)


Hopefully this helps. Do not hesitate to ask if you have any questions.



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)