FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 189815

Purpose

This article provides a configuration example to setup SSL VPN in tunnel mode with split-tunneling, on a FortiGate unit running FortiOS firmware version 5.0 and 5.2.


Scope

FortiGate unit or VDOM in NAT mode.
FortiOS firmware version 5.0 and 5.2.


Diagram

The following network diagram illustrates this example:

PC1 -- Internet -- port1-[ FortiGate ]- port2 ---- [ internal resource ] -- Server
              192.168.140.124       10.129.0.124    10.129.0.(110-254)   10.129.0.114


Expectations, Requirements

The requirements are:

    PC1 should access all internal resources via the SSL VPN gateway in tunnel mode.
    PC1 should access all other internet destinations with its local gateway.

 To fulfill this last requirement, split-tunneling will be enabled.


Configuration
Only relevant part of the configuration are provided in CLI form.


config firewall address
  edit "SSLVPN_TUNNEL_ADDR1"
        set type iprange
        set end-ip 10.212.134.210
        set start-ip 10.212.134.200
    next
    edit "port2_Internal_resources"
        set type iprange
        set end-ip 10.129.0.140
        set start-ip 10.129.0.110
    next
end

On Version 5.0

config vpn ssl settings
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
end


config user local
    edit "test"
        set type password
        set passwd 123456
    next
end

config user group
    edit "test_ssl"
        set member "test"
    next
end

config vpn ssl web portal
    edit "tunnel-access"
            config widget
                edit 1
                    set name "Tunnel Mode"
                    set type tunnel
                    set split-tunneling enable
                    set ip-pools "SSLVPN_TUNNEL_ADDR1"
                    set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
                next
                edit 2
                    set name "Session Information"
                    set type info
                next
            end
    next
end

config router static
    edit 2
        set device "ssl.root"
        set dst 10.212.134.0 255.255.255.0
    next
end

config firewall policy
   edit 2
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "port2_Internal_resources"
        set action ssl-vpn
        set identity-based enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                    set groups "test_ssl"
                    set service "ALL"
                    set sslvpn-portal "tunnel-access"
                next
            end
    next
    edit 3
        set srcintf "ssl.root"
        set dstintf "port2"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "port2_Internal_resources"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

On Version 5.2 onwards

config firewall address
    edit "Internal_subnet"
        set uuid 0a22b0ce-c166-51e4-c063-cfa0873cfecb
        set associated-interface "port2"
        set subnet 10.129.0.0 255.255.254.0
    next
end

config user local
    edit "test"
        set type password
        set passwd-time 2015-01-02 03:29:25
        set passwd 123456
end


config user group
    edit "test_SSL"
        set group-type firewall
        set authtimeout 0
        set auth-concurrent-override disable
        set http-digest-realm ''
        set member "test"
    next
end


config vpn ssl settings
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
        config authentication-rule
            edit 1
                set groups "test_SSL"
                set portal "full-access"
            next
        end
end

config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set web-mode enable
        set mac-addr-check enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set split-tunneling-routing-address "Internal_subnet"
        set page-layout double-column
            config mac-addr-check-rule
                edit "1"
                    set mac-addr-list 00:98:12:fe:3e:12
                next
            end
    next
end



config router static
    edit 2
        set dst 10.212.134.0 255.255.255.0
        set device "ssl.root"
    next
end

config firewall policy
    edit 2
        set uuid 0f6ddc5c-c166-51e4-ef47-01fba69ab5ca
        set srcintf "ssl.root"
        set dstintf "port2"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "Internal_subnet"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "test_SSL"
        set nat enable
    next
end

Firewall policy can be created when configuring the SSLVPN settings, for more information you can refer the below video
http://video.fortinet.com/video/110/ssl-vpn-for-remote-users-5-2
Verification

 - Open the SSL VPN Portal and tunnel:

- https://192.168.140.124:10443
- login and click on "Tunnel Mode" --> "Connect"
- Tunnel link status should be "UP"


3 - Check the FortiSSL interface status on PC1:

C:\ ipconfig /all
C:\Documents and Settings\xxxxx>ipconfig/all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : xxxxx
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/1000 T Server Adapter #
2
        Physical Address. . . . . . . . . : 00-50-56-01-69-2A
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.128.0.142
        Subnet Mask . . . . . . . . . . . : 255.255.254.0
        Default Gateway . . . . . . . . . : 10.128.0.131

PPP adapter fortissl:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.212.134.200
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :


4 - Check PC1 routing table , looking for the subnet(s) of the internal resources:

C:\ route print
C:\Documents and Settings\xxxx>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 50 56 01 69 2a ...... Intel(R) PRO/1000 T Server Adapter #2 - Packet S
cheduler Miniport
0x20004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     10.128.0.131    10.128.0.142       10
       10.128.0.0    255.255.254.0     10.128.0.142    10.128.0.142       10
     10.128.0.142  255.255.255.255        127.0.0.1       127.0.0.1       10
       10.129.0.0    255.255.254.0   10.212.134.200  10.212.134.200       1
   10.212.134.200  255.255.255.255        127.0.0.1       127.0.0.1       50
   10.255.255.255  255.255.255.255     10.128.0.142    10.128.0.142       10
   10.255.255.255  255.255.255.255   10.212.134.200  10.212.134.200       50
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
  192.168.140.124  255.255.255.255     10.128.0.131    10.128.0.142       1
        224.0.0.0        240.0.0.0     10.128.0.142    10.128.0.142       10
        224.0.0.0        240.0.0.0   10.212.134.200  10.212.134.200       50
  255.255.255.255  255.255.255.255     10.128.0.142    10.128.0.142       1
  255.255.255.255  255.255.255.255   10.212.134.200  10.212.134.200       1
Default Gateway:      10.128.0.131
===========================================================================
Persistent Routes:
  None

Note here that 10129.0.0/24 is pointing to the FortiGate SSL VPN gateway, and the default route is still using the local default gateway.



Troubleshooting
A sniffer trace launched from  the FortiGate CLI will help in troubleshooting connectivity issues, as per the CLI command example below:

FGT # diagnose sniffer packet  any "host 10.160.0.110 and port 80" 4


46.928415 ssl.root in 10.0.0.1.4117 -> 10.160.0.110.80: syn 1910220645
46.930144 port2 out 10.160.0.136.36979 -> 10.160.0.110.80: syn 1910220645
46.930434 port2 in 10.160.0.110.80 -> 10.160.0.136.36979: syn 315656354 ack 1910220646
46.930482 ssl.root out 10.160.0.110.80 -> 10.0.0.1.4117: syn 315656354 ack 1910220646




Note that because NAT is enabled on the firewall policy, the packet sent on port2 is sources with the IP address of the FortiGate port2 IP address

If NAT had NOT been enabled, the packet sent on port2 would use the source IP of the IP range given by the SSL VPN Pool :

FGT # diagnose sniffer packet  any "host 10.160.0.110 and port 80" 4


28.802447 ssl.root in 10.0.0.1.4269 -> 10.160.0.110.80: syn 3870100179
28.802516 port2 out 10.0.0.1.4269 -> 10.160.0.110.80: syn 3870100179




Contributors