From ceo.teo.en.ming at gmail.com Sun Oct 31 10:19:03 2021 From: ceo.teo.en.ming at gmail.com (Turritopsis Dohrnii Teo En Ming) Date: Sun, 31 Oct 2021 18:19:03 +0800 Subject: [Openswan Users] I have solved problems with Fortigate site-to-site IPsec VPN tunnels and SAP Servers in Amazon AWS Cloud for a Company in Singapore on 27 Oct 2021 Wed Message-ID: Subject: I have solved problems with Fortigate site-to-site IPsec VPN tunnels and SAP Servers in Amazon AWS Cloud for a Company in Singapore on 27 Oct 2021 Wed Good day from Singapore, The situation is as follows. Site-to-site IPsec VPN Tunnel 1 (SAP-VPN1) => Links Singapore Network and SAP Production Server in Amazon AWS. Site-to-site IPsec VPN Tunnel 2 (SAP-VPN2) => Links Singapore Network and SAP Development Server in Amazon AWS. Problem No. 1 ============== When SAP vendor connects to SSL VPN, they could not SSH into SAP Production and SAP Development servers. My Solution ============ Go to Fortigate 200D Firewall. Click Policy & Objects > IPv4 Policy. Inside the firewall rule "SSL-VPN tunnel interface (ssl.root) to SAP-VPN1", add SSH under Service. Inside the firewall rule "SSL-VPN tunnel interface (ssl.root) to SAP-VPN2", add SSH under Service. Problem No. 2 ============= When SAP vendor tries to ping/access Singapore Server .16 from SAP Development Server, connection failed. My Solution ============ My solution is to divert all traffic from Tunnel 2 to Tunnel 1, since no traffic flows through Tunnel 2 at all. Go to Fortigate 200D firewall. Click VPN > IPsec Tunnels Expand Custom. Click on the tunnel "SAP-VPN1". Under Phase 2 Selectors, change Remote Address from x.x.81.64/255.255.255.255 to x.x.81.0/255.255.255.0. Click Network > Static Routes For the Destination: "SAP Production Server (.21 and .249)", it is already using the tunnel interface SAP-VPN1. No need to change. For the Destination: "SAP Development Server (.64 and .65)", change the tunnel interface from SAP-VPN2 to SAP-VPN1. This is to divert all traffic from Tunnel 2 to Tunnel 1. Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 31 Oct 2021, is a TARGETED INDIVIDUAL living in Singapore. He is an IT Consultant with a Systems Integrator (SI)/computer firm in Singapore. He is an IT enthusiast. -----BEGIN EMAIL SIGNATURE----- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html ******************************************************************************************** Singaporean Targeted Individual Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020): [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -----END EMAIL SIGNATURE-----