Technical Tip: Source IP Pool Behavior in the SSL VPN Portal

Description

This article describes about Source IP Pool Behavior in the SSL VPN Portal.

Scope

FortiGate.

Solution

In the process of configuring the SSL VPN portal, a source IP pool is stipulated under the Tunnel model settings. When a source IP pool is defined, a corresponding route is automatically added to the kernel, directing traffic to ssl.root, as shown in the following example:

Example 1: Default configuration SSLVPN portal with source IP Pool is configured with SSLVPN_TUNNEL_ADDR1,which ranges from [10.212.134.200 - 10.212.134.210].

photon-kvm38 # get router info kernel | grep ssl
tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.200/29 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root)
tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.208/31 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root)
tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.210/32 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root) 

Example 2: A subnet of 1.1.1.1/32 has been added to the Source IP Pool for testing purposes.

photon-kvm38 # get router info kernel | grep ssl
tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->1.1.1.1/32 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root)  <<<<<route push to kernel
tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.200/29 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root)
tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.208/31 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root)
tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->10.212.134.210/32 pref=0.0.0.0 gwy=0.0.0.0 dev=17(ssl.root)