Skip to main content
minghl37
minghl37
New Member
June 24, 2016
Question

SSL VPN Tunneling

  • June 24, 2016
  • 4 replies
  • 8819 views

I am looking to configure SSL VPN tunnel for web browsing while traveling on firmware v4.0 MR3 Patch 18. I am able to connect with FortiClient (confirmed in client and SSL-VPN Monitor), but when trying to reach any address (e.g. www.google.com), nothing gets through.

 

I have configured the following: 1) User Group Allow SSL-VPN Access= full-access (this is just selects web portal, right?) with Member(s) added.

2) Static Route Destination IP/Mask= 10.212.134.0/255.255.255.0 (SSLVPN_TUNNEL_ADDR1) Device= ssl.root

3a) Policy ssl.root -> wan1 Source= sslvpn tunnel interface/SSLVPN_TUNNEL_ADDR1 Destination= wan1/all Action= ACCEPT No NAT

3b) Policy wan1 -> ssl.root Source= wan1/all Destination= sslvpn tunnel interface/SSLVPN_TUNNEL_ADDR1 Action= SSL-VPN User Group= ssl-tunnel

 

What am I missing? Thank you in advance!

    4 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    June 24, 2016

    Need a NAT for ssl.root->wan1.

    minghl37
    minghl37Author
    New Member
    June 25, 2016

    Same results if I "Enable NAT" with "Use Destination Interface Address" (cannot select Use Dynamic IP Pool). No traffic gets through.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    June 25, 2016

    It's been a while since we were using 4.3.18 (3 years ago) and SSL VPN config has changed quite a bit with 5.0 then 5.2 so I don't remember well. But I would start debugging with traceroute from the client and sniffing at FG, then eventually flow debugging at FG why it drops if it's reaching the FG. I would guess it's a simple policy or routing issue.

    rwpatterson
    rwpatterson
    New Member
    June 25, 2016

    Are you trying to use split tunneling where Internet traffic goes out the remote Internet path, or do you want the Internet traffic to pass through the tunnel and out the HQ FGT?

    minghl37
    minghl37Author
    New Member
    June 26, 2016

    Not looking to split tunnel, just pass all internet traffic through tunnel and out HQ FGT.

    minghl37
    minghl37Author
    New Member
    June 26, 2016

    Not looking to split tunnel, just pass all internet traffic through tunnel and out HQ FGT.

    Terms & ConditionsAccessibility statement