Register Now

Login

Lost Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

SSL VPN Users Need To Connect With IPSEC Remote Networks

Scenario:

Here in this article we will discuss the scenario where SSL VPN users needs to connect IPSEC tunnel remote resources. I will explain the requirement more clearly by showing in network diagram

Network Diagram
Network Diagram

Lets say IPSEC local network is “10.0.0.0/24”

IPSEC remote network is “10.0.1.0/24”

SSL VPN IP network is “10.81.234.0/24”

Now our requirement is to establish connection between “10.81.234.0/24″(SSL VPN range) and “10.0.1.0/24″(IPSEC VPN remote network).

First we need to establish the SSL VPN connection, you can follow this article:

SSL VPN

Follow this article to configure IPSEC between “10.0.0.0/24” and “10.0.1.0/24” networks:

IPSEC

Once you have established IPSEC VPN tunnel and SSL VPN tunnel we need to make following changes.

Step-1:

Login to first firewall GUI, click on VPN >> SSL VPN remote access. Add IPSEC remote access network (10.0.1.0/24) under permitted network resources. So that users who are connected to SSL VPN, if they start pinging to (10.0.1.0/24) it will hit the first firewall.

SSL VPN permitted network resources
SSL VPN network

Now identify SSL VPN range of IP address under VPN >> Show VPN settings as shown below

SSL VPN range
SSL VPN range

We need to add this network as a local network in first firewall IPSEC connection as shown in below image

First IPSEC VPN subnets
Firewall 1

We need to add this network in remote subnet on second firewall as shown in below image

Second VPN subnets
Firewall-2

Now we have modified policies, so that whenever SSL VPN user is trying to access remote network of IPSEC VPN. It will hit the first firewall. Then the request will be directed to the second firewall.

Now routing part is completed, but there should be firewall rule to allow this traffic. For that, login to firewall 1 and create firewall rule under rules and policies. Here we need to allow the request coming from the SSL VPN tunnel and traffic is directing through IPSEC tunnel. So the firewall rule should be as follows

first firewall rule
VPN to VPN rule

In the above firewall rule source zone and destination zone must be VPN, as the traffic is initiating from the SSL VPN tunnel and going out from the IPSEC VPN tunnel.

You need to create firewall rule in the second firewall as well, to allow traffic from the IPSEC VPN tunnel to its LAN network as follows

second firewall rule
VPN to LAN

Now we have configured VPN policies and firewall rules, so the traffic from SSL VPN range should reach remote network through VPN tunnel.

Note:

Ping must be enabled in the VPN zone to allow icmp traffic through the firewall. Click on Administration >> Device Access and enable ping in VPN zone as follows

ping in VPN zone
VPN ping

If this option is disabled you cannot send ping packets through the VPN tunnel. You must enable ping in both firewalls.

In case if you still were not able to access resources, this article will help you for troubleshooting the issue:

IPSEC troubleshooting

Hope this article helps you