Technical Note: Configuration example for SSL VPN gateway in tunnel mode for multiple customers
Purpose
This article describes a solution where multiple customers require to have their own portal in tunnel mode to be able to access their internal resources.
Scope
SSL VPN
Diagram
Expectations, Requirements
Customer1 and Customer2 need a customized SSL VPN portal allowing tunnel mode. They need to access the resources located behind their respective VDOMs. Spilt-tunneling is required.
A perimeter VDOM (the default root VDOM) is used for the Internet connection and SSL-VPN termination. Inter-vdom links will carry traffic from the perimeter VDOM to Customer VDOMs
Configuration
root VDOM configuration framework :
- SSL VPN IP Pool for each Customer
- SSL VPN portals
- Users and Users groups with assignment to respective SSL VPN portal
- SSL VPN firewall policy (identity based)
- Firewall policies for traffic between root VDOM and Customer VDOMs via the inter-VDOM links
- Static routes towards the virtual SSL VPN interface
- Static routes towards the Customer's subnets
Customers VDOM configuration framework :
- Static routes towards the SSL VPN IP Pools subnets
- Firewall policies for traffic between root VDOM and Customer VDOM via the inter-VDOM links
Customers VDOM configuration is not provided here since they contain standard routing and firewall policies settings.
root VDOM configuration
FGT (root) # show firewall address
config firewall address
edit "SSLVPN_TUNNEL_cust1"
set subnet 10.20.20.0 255.255.255.240
next
edit "SSLVPN_TUNNEL_cust2"
set subnet 10.20.20.16 255.255.255.240
next
edit "cust1-vlan"
set subnet 172.10.1.0 255.255.255.0
next
edit "cust2-vlan"
set subnet 172.20.2.0 255.255.255.0
next
end
FGT (root) # show vpn ssl settings
config vpn ssl settings
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" "SSLVPN_TUNNEL_cust1" "SSLVPN_TUNNEL_cust2"
end
FGT (root) # show vpn ssl web portal Portal1
config vpn ssl web portal
edit "Portal1"
set heading "Welcome to SSL VPN Customer1"
set page-layout double-column
config widget
edit 4
set name "Session Information"
set type info
next
edit 1
set name "Bookmarks"
set allow-apps web ftp smb telnet ssh vnc rdp citrix rdpnative portforward
next
edit 3
set name "Tunnel Mode"
set type tunnel
set tunnel-status enable
set split-tunneling enable
set ip-pools "SSLVPN_TUNNEL_cust1"
next
edit 2
set name "Connection Tool"
set type tool
set allow-apps web ftp smb telnet ssh vnc rdp ping citrix rdpnative portforward
next
end
next
end
FGT (root) # show vpn ssl web portal Portal2
config vpn ssl web portal
edit "Portal2"
set heading "Welcome to SSL VPN Customer2"
set page-layout double-column
config widget
edit 4
set name "Session Information"
set type info
next
edit 3
set name "Tunnel Mode"
set type tunnel
set tunnel-status enable
set split-tunneling enable
set ip-pools "SSLVPN_TUNNEL_cust2"
next
end
next
end
FGT (root) # show user local
config user local
edit "customer1"
set type password
set passwd ENC Lm1RcvRBCJCDnnM1AX1zqnfr7tXMJFfrIZr18L6P+gHjLBjbuoGk/jmGZbggBEJnb3+S6XYUf5m7YfNnHQNenYI6itWcR5SLm098bqqO+DCBboXo
next
edit "customer2"
set type password
set passwd ENC QOAlC3B2fKsrp12v+SkT7CWyiJRUlJ7KRrhuVPNpxn3R3Hycx7M//91SRUAU98z9cxMTb78kUiw9aHOpIOnQtTgVPF9iYaPCMhDQA/NxoICCnZ5P
next
end
FGT (root) # show user group
config user group
edit "portal1-users"
set sslvpn-portal "Portal1"
set member "customer1"
next
edit "portal2-users"
set sslvpn-portal "Portal2"
set member "customer2"
next
end
FGT (root) # show router static
config router static
edit 5
set device "ssl.root"
set dst 10.20.0.0 255.255.0.0
next
edit 6
set device "VDL-Cust10"
set dst 172.10.1.0 255.255.255.0
next
edit 7
set device "VDL-Cust20"
set dst 172.20.2.0 255.255.255.0
next
end
FGT (root) # show firewall policy
config firewall policy
edit 8
set srcintf "ssl.root"
set dstintf "VDL-Cust10"
set srcaddr "SSLVPN_TUNNEL_cust1"
set dstaddr "cust1-vlan"
set action accept
set schedule "always"
set service "ANY"
next
edit 9
set srcintf "ssl.root"
set dstintf "VDL-Cust20"
set srcaddr "SSLVPN_TUNNEL_cust2"
set dstaddr "cust2-vlan"
set action accept
set schedule "always"
set service "ANY"
next
edit 10
set srcintf "port1"
set dstintf "VDL-Cust10"
set srcaddr "all"
set dstaddr "cust1-vlan"
set action ssl-vpn
set identity-based enable
config identity-based-policy
edit 1
set schedule "always"
set groups "portal1-users"
set service "ANY"
next
end
next
edit 11
set srcintf "port1"
set dstintf "VDL-Cust20"
set srcaddr "all"
set dstaddr "cust2-vlan"
set action ssl-vpn
set identity-based enable
config identity-based-policy
edit 1
set schedule "always"
set groups "portal2-users"
set service "ANY"
next
end
next
end
Verification
Customer1 accessing Portal1 :
Windows IP Configuration
PPP adapter fortissl:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.20.20.1
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.100.254 192.168.171.180 20
10.20.20.1 255.255.255.255 On-link 10.20.20.1 276
172.10.1.0 255.255.255.0 10.20.20.2 10.20.20.1 20
C:\Users\>ping 172.10.1.1
Pinging 172.10.1.1 with 32 bytes of data:
Reply from 172.10.1.1: bytes=32 time=13ms TTL=254
Reply from 172.10.1.1: bytes=32 time=1ms TTL=254
Reply from 172.10.1.1: bytes=32 time=1ms TTL=254
Customer2 accessing Portal2 :
Windows IP Configuration
PPP adapter fortissl:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.20.20.17
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.100.254 192.168.171.180 20
10.20.20.17 255.255.255.255 On-link 10.20.20.17 276
172.20.2.0 255.255.255.0 10.20.20.18 10.20.20.17 20
C:\Users\>ping 172.20.2.1
Pinging 172.20.2.1 with 32 bytes of data:
Reply from 172.20.2.1: bytes=32 time=1ms TTL=254
Reply from 172.20.2.1: bytes=32 time=1ms TTL=254
Reply from 172.20.2.1: bytes=32 time=1ms TTL=254