Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff

Created on ‎10-26-2020 12:05 AM

Article Id 195086

Technical Tip: Using secondary IP address of WAN interface for SSL VPN.

Description
This article describes how to use secondary IP  address of WAN interface / public IP in SSL VPN.

Scope
For version 6.2.5.

Solution
Diagram.


SSL VPN Configuration.





VIP Configuration.






Firewall Policy configuration.

This policy is to allow traffic to hit the VIP. (This is basically  the one that take care of the packet that hit 100.100.100.101 using port 10443).
# config firewall policy
    edit 4
        set name "SSLVPN_VIP_POLICY"
        set uuid 55f2dba6-1682-51eb-4956-d5660d06e9f2
        set srcintf "port2"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "SSL VPN VIP"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next

Note.
Port2 is acting as the WAN Interface on FortiGate.

FortiClient Configuration.





Result.






Troubleshooting.
# diag debug app fnbamd -1
# diag debug app sslvpn -1
# diag debug enable
Sample debugging output.
FGT_SITE_A (settings) # [1533:root:1f]allocSSLConn:289 sconn 0x7f63a4c8a800 (0:root)
[1533:root:1f]SSL state:before SSL initialization (200.200.200.100)
[1533:root:1f]SSL state:before SSL initialization (200.200.200.100)
[1533:root:1f]client cert requirement: no
[1533:root:1f]SSL state:SSLv3/TLS read client hello (200.200.200.100)
[1533:root:1f]SSL state:SSLv3/TLS write server hello (200.200.200.100)
[1533:root:1f]SSL state:SSLv3/TLS write change cipher spec (200.200.200.100)
[1533:root:1f]SSL state:TLSv1.3 early data (200.200.200.100)
[1533:root:1f]SSL state:TLSv1.3 early data:system lib(200.200.200.100)
[1533:root:1f]SSL state:TLSv1.3 early data (200.200.200.100)
[1533:root:1f]client cert requirement: no
[1533:root:1f]SSL state:SSLv3/TLS read client hello (200.200.200.100)
[1533:root:1f]SSL state:SSLv3/TLS write server hello (200.200.200.100)
[1533:root:1f]SSL state:TLSv1.3 write encrypted extensions (200.200.200.100)
[1533:root:1f]SSL state:SSLv3/TLS write certificate (200.200.200.100)
[1533:root:1f]SSL state:TLSv1.3 write server certificate verify (200.200.200.100)
[1533:root:1f]SSL state:SSLv3/TLS write finished (200.200.200.100)
[1533:root:1f]SSL state:TLSv1.3 early data (200.200.200.100)
[1533:root:1f]SSL state:TLSv1.3 early data:system lib(200.200.200.100)
[1533:root:1f]SSL state:TLSv1.3 early data (200.200.200.100)
[1533:root:1f]SSL state:SSLv3/TLS read finished (200.200.200.100)
[1533:root:1f]SSL state:SSLv3/TLS write session ticket (200.200.200.100)
[1533:root:1f]SSL state:SSLv3/TLS write session ticket (200.200.200.100)
[1533:root:1f]SSL state:SSL negotiation finished successfully (200.200.200.100)
[1533:root:1f]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[1533:root:1f]req: /remote/fortisslvpn_xml
[1533:root:1f]deconstruct_session_id:426 decode session id ok, user=[test_user1],group=[],authserver=[],portal=[full-access],host=[200.200.200.100],realm=[],idx=0,auth=1,sid=70859b7,login=1603612003,access=1603612003,saml_logout_url=no
[1533:root:1f]deconstruct_session_id:426 decode session id ok, user=[test_user1],group=[],authserver=[],portal=[full-access],host=[200.200.200.100],realm=[],idx=0,auth=1,sid=70859b7,login=1603612003,access=1603612003,saml_logout_url=no
[1533:root:1f]req: /remote/licensecheck
[1533:root:1f]deconstruct_session_id:426 decode session id ok, user=[test_user1],group=[],authserver=[],portal=[full-access],host=[200.200.200.100],realm=[],idx=0,auth=1,sid=70859b7,login=1603612003,access=1603612003,saml_logout_url=no
[1533:root:1f]deconstruct_session_id:426 decode session id ok, user=[test_user1],group=[],authserver=[],portal=[full-access],host=[200.200.200.100],realm=[],idx=0,auth=1,sid=70859b7,login=1603612003,access=1603612003,saml_logout_url=no
[1533:root:1f]deconstruct_session_id:426 decode session id ok, user=[test_user1],group=[],authserver=[],portal=[full-access],host=[200.200.200.100],realm=[],idx=0,auth=1,sid=70859b7,login=1603612003,access=1603612003,saml_logout_url=no
[1533:root:1f]req: /remote/sslvpn-tunnel?dns0=8.8.8.8
[1533:root:1f]sslvpn_tunnel_handler,52, Calling rmt_conn_access_ex.
[1533:root:1f]deconstruct_session_id:426 decode session id ok, user=[test_user1],group=[],authserver=[],portal=[full-access],host=[200.200.200.100],realm=[],idx=0,auth=1,sid=70859b7,login=1603612003,access=1603612003,saml_logout_url=no
[1533:root:1f]sslvpn_tunnel_handler,148, Calling tunnel.
[1533:root:1f]tunnelEnter:422 0x7f63a4c8a800:0x7f63a4eff000 sslvpn user[test_user1],type 1,logintime 0 vd 0
[1533:root:1f]sconn 0x7f63a4c8a800 (0:root) vfid=0 local=[100.100.100.100] remote=[200.200.200.100] dynamicip=[10.212.134.200]
[1533:root:1f]Prepare to launch ppp service...

Labels:
11160
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.