Use an SSL or IPSec VPN to connect FortiClient end users to FortiGate VM hosted in AWS?

BFieldy · ‎08-11-2024

Hello,

I've deployed an active/passive FortiGate VM setup on AWS via Terraform. FortiClient end users are going to use the VPN feature to connect into services hosted within the AWS environment. These devices are posture checked by FortiClient EMS Cloud hosted by Fortinet.

When initially setting up the FortiGate VMs the only VPN option available was an "IPSec" VPN and the SSL option wasn't able to be activated via the Feature Visibility section. After some Googling it was possible to activate this section via the CLI. I now have an "SSL-VPN Portal", "SSL-VPN Settings", and "SSL-VPN Clients".

My question is: Is there any recommendations to use SSL over IPSec? What are the pros and cons with both?

Thanks in advance,

Ben

JoerVan · ‎08-12-2024

Hi Ben,

As you are using the FortiClient EMS Cloud functionality it would be good to have a look at ZTNA. That will allow you to have a check client to access resources using the HTTPS access proxy.

https://docs.fortinet.com/document/fortigate/7.2.5/ssl-vpn-to-ztna-migration-guide/813800/deployment...

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/45836/ssl-vpn-to-ipsec-vpn

SSL VPN with the portal is a web based access to resources. The endpoint checks from FortiClient are not included in this setup. Besides the client less nature of the SSL-VPN for certain application, the more secure way is to use ZTNA and/or IPSec using FortiClient.

Joeri

BFieldy · ‎08-12-2024

Hi Joeri,

Thank you for your reply. Am I correct in saying that for IPSec tunnels, using IKEv2 isn't possible if you're trying to connect using LDAPS credentials as well as using a client certificate? I've got the IPSEC connection working on IKEv1 but I can't get it working on IKEv2.

Thanks,

Ben

Use an SSL or IPSec VPN to connect FortiClient end users to FortiGate VM hosted in AWS?

Nominate a Forum Post for Knowledge Article Creation