Skip to main content
djwilliams
djwilliams
New Member
May 11, 2015
Solved

FortiOS 5.2.X - Tunnel mode SRC IP configuration

  • May 11, 2015
  • 1 reply
  • 9486 views

When configuring an SSLVPN in tunnel mode why do we have to specify source IP information in the VPN > SSL > SETTINGS screen under Tunnel Mode Client Settings as well as in VPN > SSL > PORTALS in the Source IP Pools field when checking Enable Tunnel Mode? 

 

If I don't get an answer I will lab it up and find out but I'm hoping to save some time. I suspect it has to do with Authentication/Portal Mapping but I would like some confirmation on that.  

 

Does the settings config assign the IP ranges that WILL be used when a tunnel mode client connects and the Portal setting is used separately to define configuration sent to the Forticlient for remote policy definition?

 

Are they purely redundant configuration fields?

 

Does one setting just give you more granular control over assigned IPs to specific users/groups?  ie Does the IP pool in the portal config trump the IP Ranges value in the settings config?  (This would seem silly to me since you have to define a portal even if it is just to the All Other Users/Groups portal mapping field.) 

Best answer by emnoc

I don't know if they are redundant, but I believe you need the settings if you wanted to achieve a different  src pool for  tunnel-mode and portal clients. And yes, so what ever is under  the main cfg is trumped by the  port definitions.

 

e.g my webportal

 

config vpn ssl web portal     edit "socgroup012"         set tunnel-mode enable         set ipv6-tunnel-mode enable         set web-mode enable         set ip-pools "SSLVPN_012GROUP"         set split-tunneling disable         set ipv6-pools "SSLVPN_IPv6_012GROUP"     next end

 

and here's my main cfg;

 

config vpn ssl settings     set sslv3 disable     set servercert "Fortinet_Factory"     set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"     set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"     set port 8767     set source-interface "wifi"     set source-address "all"     set source-address6 "all"     set default-portal "default"         config authentication-rule             edit 1                 set groups "SSL1"                 set portal "socgroup012"             next         end end

So I believe if you look at it; " yes it redundant".

 

What I do know, if you remove the  main tunnel mode cfg src pool address, the  user will still work and be assigned a client address via the  defined pool src_ip_pool for the specific portal.

 

 

 

1 reply

emnoc
emnocAnswer
New Member
May 11, 2015

I don't know if they are redundant, but I believe you need the settings if you wanted to achieve a different  src pool for  tunnel-mode and portal clients. And yes, so what ever is under  the main cfg is trumped by the  port definitions.

 

e.g my webportal

 

config vpn ssl web portal     edit "socgroup012"         set tunnel-mode enable         set ipv6-tunnel-mode enable         set web-mode enable         set ip-pools "SSLVPN_012GROUP"         set split-tunneling disable         set ipv6-pools "SSLVPN_IPv6_012GROUP"     next end

 

and here's my main cfg;

 

config vpn ssl settings     set sslv3 disable     set servercert "Fortinet_Factory"     set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"     set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"     set port 8767     set source-interface "wifi"     set source-address "all"     set source-address6 "all"     set default-portal "default"         config authentication-rule             edit 1                 set groups "SSL1"                 set portal "socgroup012"             next         end end

So I believe if you look at it; " yes it redundant".

 

What I do know, if you remove the  main tunnel mode cfg src pool address, the  user will still work and be assigned a client address via the  defined pool src_ip_pool for the specific portal.

 

 

 

djwilliams
djwilliamsAuthor
New Member
May 11, 2015

That is excellent information!  Enough for me to move forward with my documentation.  The audience for the docs I'm writing wouldn't understand a more detailed explanation anyway.  :)

 

Of course my curiosity is peaked so if I can find a few minutes in the day I think I will lab up a couple of scenarios.  I would really like an answer from the developer's as to what the thought was here or was it a missed holdover from old code.  Perhaps a query to my SE is in order.  

 

Thank you!!

localhost
localhost
Visitor III
December 15, 2015

I know this is kind of an old thread, but I was wondering the same thing.

 

My lab test confirms that the ip pool in the portal settings has precedence over the global vpn ssl Settings, when using tunnel mode. But if I use the web portal to access the internal network, it will use the web portal external ip address as the source IP.

So still not clear to me, when actually the ip pool is used in the global vpn settings.

 

But what makes me really wonder, why is there no route visible to the ssl.root interface? Shouldn't there be a connected entry in the routing table? get router info routing-table detail doesn't show me the expected entry.

Terms & ConditionsAccessibility statement