Description

This article describes the scenario where the site connects Windows native VPN client to the VPN server behind the FortiGate. The connection is over Secure Socket Tunnel Protocol -SSTP- and a Virtual IP VIP is mapping the external IP address to the real IP of the VPN server on the FortiGate.

Scope

Example:

Solution

Since SSTP communicates on port 443, the VIP should be created with port forwarding at TCP port 443 as shown below:

 To configure the same from CLI:

config firewall VIP

    (vip) # edit "vpn_server"

        set uuid 4ea60688-ff10-51ed-a4e9-d386e648173b

        set extip 12.12.12.12

        set mappedip "192.168.1.10"

        set extintf "any"

        set portforward enable

        set extport 443

        set mappedport 443

    next

end

Next step is to create the firewall policy for incoming traffic:

config firewall policy

    FG81EP-5 (policy) # edit "6"

        set name "VPN_Policy"

        set uuid 851e6bbc-fe55-51ed-5b26-44704d519ee2

        set srcintf "wan"

        set dstintf "lan"

        set action accept

        set srcaddr "all"

        set dstaddr " vpn_server "

        set schedule "always"

        set service "ALL"

    next

end

To Monitor the solution a simple sniffer command should be sufficient:

diagnose sniffer packet any “host <server real ip> and port 443” 4 0 l