In this recipe, you will configure a site-to-site IPsec VPN that allows access to the remote endpoint via SSL VPN. This involves a pre-existing user group, a tunnel-mode SSL VPN with split-tunneling, and a route-based IPsec VPN between two FortiGates.
In the example, all sessions need to start from the SSL VPN interface. If you want sessions to start from the FGT_2 subnet, you will need more policies. Furthermore, if the remote subnet is beyond FGT_2 (if you have to cross multiple hops), you will need to include the SSL VPN subnet in those routers as well.
PREP 20 mins COOK 5 min TOTAL 25 mins
1. Configuring the site-to-site IPsec VPN on FGT_1 |
|
|
Go to VPN > IPSec Wizard. Name the VPN connection and select Site to Site. |
 |
|
Set IP Address to the Internet-facing interface. Select Pre-shared Key for Authentication Method and enter the pre-shared key. |
 |
|
Set Local Interface to the internal interface and set Local Subnets to include the internal and SSL VPN subnets for FGT_1. Set Remote Subnets to include the internal subnet for FGT_2. |
 |
| A summary page shows the configuration created by the wizard, including firewall address groups (for both local subnets as well as the remote subnet), static routes, and security policies. |  |
2. Configuring SSL VPN settings |
|
|
Go to VPN > SSL-VPN Settings and set Listen on Interface(s) to wan1. To avoid port conflicts, set Listen on Port to 10443. Set Restrict Access to Allow access from any host. Under Tunnel Mode Client Settings, enable Specify custom IP ranges and include the SSL VPN subnet range created by the IPsec VPN wizard. |
 |
|
Under Authentication/Portal Mapping, add the VPN user group to the tunnel-access portal. Set All Other Users/Groups to the web-access portal. |
|
3. Configuring the SSL VPN portal |
|
|
Go to VPN > SSL-VPN Portals and edit the tunnel-access portal. Turn on Enable Split Tunneling so that only traffic intended for the local or remote networks will flow through FGT_1 and be subject to the corporate security profiles. |
 |
|
Next to Routing Address, add the local and remote IPsec VPN subnets created by the IPsec VPN wizard. Next to Source IP Pools, add the SSL VPN subnet range created by the IPsec VPN wizard. |
|
4. Adding policies on FGT_1 |
|
|
Go to Policy & Objects > IPv4 Policy and create a new policy that allows SSL VPN users access to the internal network. Set Incoming Interface to ssl.root and set Outgoing Interface to internal. Set Source to the SSL VPN subnet created by the IPsec VPN wizard and add the VPN user group. Set Destination to the local IPsec VPN subnet (which represents the internal subnet). Set the Schedule and set Service to all. Enable NAT. |
 |
|
Create another policy that allows SSL VPN users access to the IPsec VPN tunnel. Set Incoming Interface to ssl.root and set Outgoing Interface to the IPsec tunnel interface (in this case, Site1). Set Source to the SSL VPN subnet created by the IPsec VPN wizard and add the VPN user group. Set Destination to the remote IPsec VPN subnet. Set the Schedule and set Service to all. |
 |
5. Configuring the site-to-site IPsec VPN on FGT_2 |
|
|
Go to VPN > IPSec Wizard. Name the VPN connection and select Site to Site. |
 |
|
Set IP Address to the Internet-facing interface. Select Pre-shared Key for Authentication Method and enter the pre-shared key that matches the FGT_1 configuration. |
 |
|
Set Local Interface to the internal interface and set Local Subnets to include the internal network subnet for FGT_2. Set Remote Subnets to include the internal and SSL VPN subnets for FGT_1. |
 |
| A summary page shows the configuration created by the wizard, including firewall address groups (for the local subnet as well as both remote subnets), static routes, and security policies. |  |
6. Results |
|
| Go to Monitor > IPsec Monitor, highlight the tunnel, and select Bring Up. |  |
| Verify that the tunnel Status changes to Up. |  |
| Configure the SSL VPN connection on the user’s FortiClient and connect to the tunnel. |  |
| Using Command Prompt/Terminal on the user’s computer, send a PING through the tunnel to the remote endpoint and confirm access. |  |
| Go to Monitor > Routing Monitor and verify the routes for the IPsec and SSL VPNs were added. |  |
| Go to Monitor > SSL-VPN Monitor and verify the user connectivity. |  |
| Go to Log & Report > VPN Events and view the IPsec and SSL tunnel statistics. |  |
| Go to FortiView > VPN and view VPN connection activity. |  |
| Right-click an entry and select Drill Down to Details for more information about a connection. |  |
7. Debug |
|
|
In order to diagnose potential issues, run the following debug commands on FGT_1 using the CLI Console: diag debug reset diag debug flow show function-name enable diag debug flow show iprope enable diag debug flow filter addr 192.168.177.99 diag debug flow filter proto 1 diag debug flow trace start 2 diag debug enable |
|
|
Send a PING through the SSL VPN tunnel to 192.168.177.99 and analyze the output of the debug. Disable the debug output with the following command: diag debug disable If the traffic is entering the correct VPN tunnel on FGT_1, then run the same commands on FGT_2 to check whether the traffic is reaching the correct tunnel. If it is reaching the correct tunnel, confirm that the SSL VPN tunnel range is configured in the remote side quick mode selectors. |
|
|
You can also run a sniffer command on FGT_1 as follows: diag sniff packet any "host 192.168.177.99 and icmp" 4 |
|
|
If you suspect an IPsec VPN issue, run the following commands on either FortiGate: diag debug reset diag vpn ike gateway clear diag debug application ike -1 diag debug enable When you are satisfied with the debug output, disable the debug as follows: diag debug disable |
|
|
For more troubleshooting information for SSL VPN and IPsec VPN, refer to the following: |
|
The post SSL VPN to IPsec VPN appeared first on Fortinet Cookbook.