Skip to main content
Ali426
Ali426
New Member
April 12, 2018
Question

Remote access vpn - ssl tunnel mode vs ipsec tunnel

  • April 12, 2018
  • 2 replies
  • 51877 views

What is the difference between Remote-access ipsec vpn vs ssl vpn (tunnel mode). as i understand ssl provide layer7 security with web mode, and l3 security with tunnel mode.

    2 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    April 12, 2018

    You can use SSLVPN client-less, that is, from any browser, this is called web mode or portal mode. The portal only supports some protocols as proxy which might or might not meet your needs.

    Then, you can install SSLVPN in tunnel mode which allows you to use any protocol. On the remote side you need the (free) FortiClient software for this.

    SSLVPN has a much higher impact on the FGT's CPU as it cannot be offloaded onto a hardware acceleration chip. You find the recommended maximum SSL VPN users for each model in the Maxium Values table available on docs.fortinet.com.

     

    IPsec on the other hand is typically used for site-to-site tunnels but is suitable for host-to-site settings as well. You will always need a software client for IPsec on the host which is this case could be again the FortiClient. All protocols are supported across the tunnel.

     

    I personally prefer IPsec remote dialin as it scales far further than SSLVPN. Even the smalles desktop FGT can sustain dozens of IPsec tunnels without problems.

     

    The only scenario where SSLVPN is superior is when the remote user is located in, for instance, a hotel. Some hotel Wifi/LANs do not permit non-standard ports (for no reason at all). IPsec at least needs UDP ports 500 and 4500 outbound to work. In this case, SSLVPN (using the HTTPS port 443) is the only way out. Luckily, you can configure both and let your users use SSLVPN as a fallback. You can even reuse the user group for both kinds of VPN.

    emnoc
    emnoc
    New Member
    April 12, 2018

    Okay two reasons, SSLVPN  is ideal when you don't want to offer a remot-client to various hosts OSes or you only  need a web-portal-only setup.

     

    IPSEC is well support  and most devices has a native IPSEC client ( iphone android winOS MACOSX linux ) , so it's a open standard and does not require a sslvpn_unique_vendor client. or ipsec clients are freely available.

     

    The problems you will encounter with both are access from remote networks outside of your domain

     

    1: some might not allow  ipsec as what Ede point out( protocol 50 and IKE could be blocked )

    2: some might have a local http/https  proxy which will break more SSLVPN tunnel-mode ( again  transparent or explicit proxies or even url categorization policies )

    3:  IPSEC  dynamic-tunnels are more immune against MiTM , where  SSLVPN web-mode or even tunnel-mode could easily be  MiTM and unknown to the end-users

    4: Since more individuals are trusting of the CA model and most SSLVPn deployments do not install a  CAtrusted Cert ( the SelfSign Fortinet cert for example ) , they would have no knowledge if they are MiTM or tampered by some unknown appliance  ( in regards to #4 )

     

     

    You pick your options and go what you need.  SSLVPN will also be more process intensive than IPSEC imho. So if you had  50 ipsec-dynamic tunnels , vrs 50 sslvpn tunnels, that latter based on my experience  , will always consume more CPU/memory.

     

    Things to considered

     

    1: what end-points need remote access

    2: do you need only portal like access

    3: do you need to assign and tunnel traffic

    4: does all of the end-points support sslvpn tunnel-mode and does a client exist ( OSes support )

    5: Do you need any of the other security features of the Forticlient

    6: do you need to enforce policy for the remote-client ( again the Forticlient does this or has that allowance )

    7: do you need CAissues certs

    8: do you need mutual client-side-cert

    9: can you  use need MFA or hybrid-authentication

    10: can you risk a MiTM device between vpn-gw and "remote client"

     

    One is not always better than the other, so always research your needs , goals,  requirements ;)

     

     

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    April 12, 2018

    A couple of things I want to comment in addition to Ede's and Ken's:

    -Tunnel mode SSL vpn is available only with FortiClient starting from some point in the past for a vulnerable issue if I remember correctly.

    -From user's aspect, only one IPsec vpn can be established from one source IP. You can't set two IPsecs up behind the same NAT, like two employees at the same hotel trying to setup a VPN from their laptops. Only one comes through. With SSL VPN, it doesn't matter.

    EEHC
    EEHC
    Explorer III
    April 5, 2022

    Quote from https://www.onlc.com/blog/comparing-ipsec-vs-ssl-vpns/#:~:text=The%20main%20difference%20between%20IPsec,or%20application%20on%20the%20network.

     

    "The main difference between IPsec and SSL VPNs is the endpoints for each protocol. While an IPsec VPN allows users to connect remotely to an entire network and all its applications, SSL VPNs give users remote tunneling access to a specific system or application on the network. Choosing the right application comes down to a balance of convenience for the end-user and security for the organization. With SSL VPNs, if a bad actor gains control of the tunnel they have access to only the specific application or operating systems that the SSL is connected to. IPsec protocol, while secured with encryption as part of the TCP/IP suite, can give hackers full access to an entire corporate network if access is gained."

    Terms & ConditionsAccessibility statement