SSL Clients accessing remote networks
Came across the need to allow SSL VPN clients access to remote networks beyond the SPOKE Firewall. In this instance, we have an IPSEC LAN-2-LAN VPN Tunnel between two points, we’ll use the name HQ & Sister-Company. A remote user accessing the HQ Firewall needs access to the Sister-Company file server. Instead of configuring another instance of a user on the Sister-Company firewall or another instance in the SSL VPN Client, we can allow access from the HQ Firewall.
HQ Fortigate LAN2LAN VPN MUST be configured in interface/route mode. SSL_VPN clients connect to the HUB FGATE ie. HQ
FW-Policy(s):
* ssl.root:(source subnet) -> VPN_Interface:(destination subnet)
* WAN:(source subnet) -> VPN_Interface:(destination subnet) (ACTION) SSL-VPN (identify “interesting traffic” on the SSL Client. Make sure to set the group access under this policy.
Route(s):
* Destination_Network:VPN_Interface
Connect using the SSL_Client and ping a host on the far side and see if your COUNT SEND/Receive increment with each ping on the SSL VPN Client.