Technical Note: FortiGate SSL VPN in tunnel mode with split-tunneling - configuration and verification
Products
FortiGate v5.0
FortiGate v5.2
Purpose
This article provides a configuration example to setup SSL VPN in tunnel mode with split-tunneling, on a FortiGate unit running FortiOS firmware version 5.0 and 5.2.
Scope
FortiGate unit or VDOM in NAT mode.
FortiOS firmware version 5.0 and 5.2.
Diagram
The following network diagram illustrates this example:

PC1 -- Internet -- port1-[ FortiGate ]- port2 ---- [ internal resource ] -- Server
              192.168.140.124       10.129.0.124    10.129.0.(110-254)   10.129.0.114
Expectations, Requirements
The requirements are:

    PC1 should access all internal resources via the SSL VPN gateway in tunnel mode.
    PC1 should access all other internet destinations with its local gateway.

 To fulfill this last requirement, split-tunneling will be enabled.
Configuration
Only relevant part of the configuration are provided in CLI form.


config firewall address
  edit "SSLVPN_TUNNEL_ADDR1"
        set type iprange
        set end-ip 10.212.134.210
        set start-ip 10.212.134.200
    next
    edit "port2_Internal_resources"
        set type iprange
        set end-ip 10.129.0.140
        set start-ip 10.129.0.110
    next
end

On Version 5.0

config vpn ssl settings
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
end


config user local
    edit "test"
        set type password
        set passwd 123456
    next
end

config user group
    edit "test_ssl"
        set member "test"
    next
end

config vpn ssl web portal
    edit "tunnel-access"
            config widget
                edit 1
                    set name "Tunnel Mode"
                    set type tunnel
                    set split-tunneling enable
                    set ip-pools "SSLVPN_TUNNEL_ADDR1"
                    set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
                next
                edit 2
                    set name "Session Information"
                    set type info
                next
            end
    next
end

config router static
    edit 2
        set device "ssl.root"
        set dst 10.212.134.0 255.255.255.0
    next
end

config firewall policy
   edit 2
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "port2_Internal_resources"
        set action ssl-vpn
        set identity-based enable
            config identity-based-policy
                edit 1
                    set schedule "always"
                    set groups "test_ssl"
                    set service "ALL"
                    set sslvpn-portal "tunnel-access"
                next
            end
    next
    edit 3
        set srcintf "ssl.root"
        set dstintf "port2"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "port2_Internal_resources"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

On Version 5.2 onwards

config firewall address
    edit "Internal_subnet"
        set uuid 0a22b0ce-c166-51e4-c063-cfa0873cfecb
        set associated-interface "port2"
        set subnet 10.129.0.0 255.255.254.0
    next
end

config user local
    edit "test"
        set type password
        set passwd-time 2015-01-02 03:29:25
        set passwd 123456
end


config user group
    edit "test_SSL"
        set group-type firewall
        set authtimeout 0
        set auth-concurrent-override disable
        set http-digest-realm ''
        set member "test"
    next
end


config vpn ssl settings
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set source-interface "port1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
        config authentication-rule
            edit 1
                set groups "test_SSL"
                set portal "full-access"
            next
        end
end

config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set web-mode enable
        set mac-addr-check enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set split-tunneling-routing-address "Internal_subnet"
        set page-layout double-column
            config mac-addr-check-rule
                edit "1"
                    set mac-addr-list 00:98:12:fe:3e:12
                next
            end
    next
end



config router static
    edit 2
        set dst 10.212.134.0 255.255.255.0
        set device "ssl.root"
    next
end

config firewall policy
    edit 2
        set uuid 0f6ddc5c-c166-51e4-ef47-01fba69ab5ca
        set srcintf "ssl.root"
        set dstintf "port2"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "Internal_subnet"
        set action accept
        set schedule "always"
        set service "ALL"
        set groups "test_SSL"
        set nat enable
    next
end

Firewall policy can be created when configuring the SSLVPN settings, for more information you can refer the below video
https://video.fortinet.com/video/110/ssl-vpn-for-remote-users-5-2
Verification

 - Open the SSL VPN Portal and tunnel:

- https://192.168.140.124:10443
- login and click on "Tunnel Mode" --> "Connect"
- Tunnel link status should be "UP"


3 - Check the FortiSSL interface status on PC1:

C:\ ipconfig /all
C:\Documents and Settings\xxxxx>ipconfig/all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : xxxxx
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/1000 T Server Adapter #
2
        Physical Address. . . . . . . . . : 00-50-56-01-69-2A
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.128.0.142
        Subnet Mask . . . . . . . . . . . : 255.255.254.0
        Default Gateway . . . . . . . . . : 10.128.0.131

PPP adapter fortissl:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.212.134.200
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :


4 - Check PC1 routing table , looking for the subnet(s) of the internal resources:

C:\ route print
C:\Documents and Settings\xxxx>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 50 56 01 69 2a ...... Intel(R) PRO/1000 T Server Adapter #2 - Packet S
cheduler Miniport
0x20004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     10.128.0.131    10.128.0.142       10
       10.128.0.0    255.255.254.0     10.128.0.142    10.128.0.142       10
     10.128.0.142  255.255.255.255        127.0.0.1       127.0.0.1       10
       10.129.0.0    255.255.254.0   10.212.134.200  10.212.134.200       1
   10.212.134.200  255.255.255.255        127.0.0.1       127.0.0.1       50
   10.255.255.255  255.255.255.255     10.128.0.142    10.128.0.142       10
   10.255.255.255  255.255.255.255   10.212.134.200  10.212.134.200       50
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
  192.168.140.124  255.255.255.255     10.128.0.131    10.128.0.142       1
        224.0.0.0        240.0.0.0     10.128.0.142    10.128.0.142       10
        224.0.0.0        240.0.0.0   10.212.134.200  10.212.134.200       50
  255.255.255.255  255.255.255.255     10.128.0.142    10.128.0.142       1
  255.255.255.255  255.255.255.255   10.212.134.200  10.212.134.200       1
Default Gateway:      10.128.0.131
===========================================================================
Persistent Routes:
  None

Note here that 10129.0.0/24 is pointing to the FortiGate SSL VPN gateway, and the default route is still using the local default gateway.


Internal Notes
This KB article should be maintained by: TAC/TAC-L3
Articles with very similar or duplicate content exist:  none
Content of this KB article could be integrated to another article: none
Is this article relevant to currently supported product versions: yes
What currently supported versions is this article relevant to: 4.3/5.0 <- sniffer portion relevent for 5.0, The configuration portion only relevant for 4.0
Is this article ONLY relevant to non-supported versions: no
If this article was written for an unsupported version, can it be modified/updated for a supported one: yes/no
Is this topic already documented in TechDocs: partially SSL VPN configuration steps are in the tech docs
Do you propose this article to be discontinued/moved to internal KB area: NO - still relevant for 4.0
Article was rewritten, as a result of this evaluation: no
Changes done: NA
Other remarks and recommendations: A 5.0 CLI oriented document should be created.
Date this article was evaluated: 2013-05-01
Evaluated by: Don Kempt, dkempt@fortinet.com, TAC L1
Related Articles
Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate with sniffer, debug flow, session list, routing table
Last Modified Date: 03-05-2015 Document ID: FD31467