Technical Note: FortiGate SSL VPN in tunnel mode with split-tunneling - configuration and verification
This article provides a configuration example to setup SSL VPN in tunnel mode with split-tunneling, on a FortiGate unit running FortiOS firmware version 5.0 and 5.2.
FortiGate unit or VDOM in NAT mode. FortiOS firmware version 5.0 and 5.2.
The following network diagram illustrates this example:
PC1 -- Internet -- port1-[ FortiGate ]- port2 ---- [ internal resource ] -- Server 192.168.140.124 10.129.0.124 10.129.0.(110-254) 10.129.0.114
The requirements are:
PC1 should access all internal resources via the SSL VPN gateway in tunnel mode. PC1 should access all other internet destinations with its local gateway.
To fulfill this last requirement, split-tunneling will be enabled.
Only relevant part of the configuration are provided in CLI form.
config firewall address edit "SSLVPN_TUNNEL_ADDR1" set type iprange set end-ip 10.212.134.210 set start-ip 10.212.134.200 next edit "port2_Internal_resources" set type iprange set end-ip 10.129.0.140 set start-ip 10.129.0.110 next end
On Version 5.0
config vpn ssl settings set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" end
config user local edit "test" set type password set passwd 123456 next end
config user group edit "test_ssl" set member "test" next end
config vpn ssl web portal edit "tunnel-access" config widget edit 1 set name "Tunnel Mode" set type tunnel set split-tunneling enable set ip-pools "SSLVPN_TUNNEL_ADDR1" set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" next edit 2 set name "Session Information" set type info next end next end
config router static edit 2 set device "ssl.root" set dst 10.212.134.0 255.255.255.0 next end
config firewall policy edit 2 set srcintf "port1" set dstintf "port2" set srcaddr "all" set dstaddr "port2_Internal_resources" set action ssl-vpn set identity-based enable config identity-based-policy edit 1 set schedule "always" set groups "test_ssl" set service "ALL" set sslvpn-portal "tunnel-access" next end next edit 3 set srcintf "ssl.root" set dstintf "port2" set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "port2_Internal_resources" set action accept set schedule "always" set service "ALL" next end
On Version 5.2 onwards
config firewall address edit "Internal_subnet" set uuid 0a22b0ce-c166-51e4-c063-cfa0873cfecb set associated-interface "port2" set subnet 10.129.0.0 255.255.254.0 next end
config user local edit "test" set type password set passwd-time 2015-01-02 03:29:25 set passwd 123456 end
config user group edit "test_SSL" set group-type firewall set authtimeout 0 set auth-concurrent-override disable set http-digest-realm '' set member "test" next end
config vpn ssl settings set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set source-interface "port1" set source-address "all" set source-address6 "all" set default-portal "web-access" config authentication-rule edit 1 set groups "test_SSL" set portal "full-access" next end end
config vpn ssl web portal edit "full-access" set tunnel-mode enable set web-mode enable set mac-addr-check enable set ip-pools "SSLVPN_TUNNEL_ADDR1" set split-tunneling-routing-address "Internal_subnet" set page-layout double-column config mac-addr-check-rule edit "1" set mac-addr-list 00:98:12:fe:3e:12 next end next end
config router static edit 2 set dst 10.212.134.0 255.255.255.0 set device "ssl.root" next end
config firewall policy edit 2 set uuid 0f6ddc5c-c166-51e4-ef47-01fba69ab5ca set srcintf "ssl.root" set dstintf "port2" set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "Internal_subnet" set action accept set schedule "always" set service "ALL" set groups "test_SSL" set nat enable next end
Firewall policy can be created when configuring the SSLVPN settings, for more information you can refer the below video https://video.fortinet.com/video/110/ssl-vpn-for-remote-users-5-2
- Open the SSL VPN Portal and tunnel:
- https://192.168.140.124:10443 - login and click on "Tunnel Mode" --> "Connect" - Tunnel link status should be "UP"
3 - Check the FortiSSL interface status on PC1:
C:\ ipconfig /all C:\Documents and Settings\xxxxx>ipconfig/all
Note here that 10129.0.0/24 is pointing to the FortiGate SSL VPN gateway, and the default route is still using the local default gateway.
This KB article should be maintained by: TAC/TAC-L3 Articles with very similar or duplicate content exist: none Content of this KB article could be integrated to another article: none Is this article relevant to currently supported product versions: yes What currently supported versions is this article relevant to: 4.3/5.0 <- sniffer portion relevent for 5.0, The configuration portion only relevant for 4.0 Is this article ONLY relevant to non-supported versions: no If this article was written for an unsupported version, can it be modified/updated for a supported one: yes/no Is this topic already documented in TechDocs: partially SSL VPN configuration steps are in the tech docs Do you propose this article to be discontinued/moved to internal KB area: NO - still relevant for 4.0 Article was rewritten, as a result of this evaluation: no Changes done: NA Other remarks and recommendations: A 5.0 CLI oriented document should be created. Date this article was evaluated: 2013-05-01 Evaluated by: Don Kempt, email@example.com, TAC L1