I recently reconfigured my Fortigate to offer IKEv2 IPSec VPN instead of SSL. Fortinet is discontinuing support for SSL VPN and other features on models with 2GB RAM. This includes the 40 and 60 series Fortigates; IPSec will still work.
I had done this sort of configuration before, its documented in many places, I won’t repeat it here. After 15-20 minutes of config, I was able to connect to the VPN using a local username and password on the Fortigate BUT couldn’t pass traffic. I ran debug flows and captures everything looked correct. I would see the packets allowed by policy, sent to the correct interface but no return traffic.
Searched everywhere, tried everything until I found a note in a KB article about geo-IP restrictions on local-in policies.
Local-In Policies
You cannot use standard GUI firewall policies to filter traffic that is destined for the Fortigate itself (as opposed to traffic with a destination behind the Fortigate). Most people “firewall” the management interfaces by using the trusted hosts associated with the admin username. With the proliferation of CVE’s for Fortigate SSL VPN I wanted to cut down that surface as well: enter local-in policies. They must be configured through the CLI but they allow you to apply standard firewall constructs to VPN, FGM, management. I had limited access to the SSL-VPN to only the United States geo-IP location to cut down on scanners. There is a bug that if a geo-IP restriction is applied to SSL-VPN it will cause the IPSec VPN traffic to have the problem I’m experiencing. As soon as I removed the geo IP restriction from SSL-VPN BAM – My IPSec traffic worked perfectly. What a weird bug.