Description
This article describes the configuration of the FortiGate acting as a SSLVPN client.
Scope
FortiOS 7.0 and newer versions
Solution
FortiGate as the SSLVPN client feature was introduced as a part of FortiOS 7.0.0.
Note: Any other Certificate Authority for generating SSLVPN Server Certificate can be used. Within this KB Microsoft Certificate Services will be used as a CA
Components used:
FortiGate A - as an SSLVPN Server.
FortiGate B - as a SSLVPN Client.
AD - Acting as LDAP and Root CA (Certificate Authority).
- Retrieve and Upload CA Certificate of the Microsoft CA to the FortiGate:
Log on to Root Certification Authority Web Enrollment Site.
Usually, the Web Enrollment Site resides in the following links:
http://<ip_address>/certsrv or http://<fqdn>/certsrv
ip_address = Root Certification Authority Server IP.
fqdn = Fully qualified domain name of the Root Certification Authority Server.
Select Download CA certificate.
Save the file 'certnew.cer' in local disk store.
Upload CA Certificate to the Fortigate A and Fortigate B:
- Generate Certificate Sign Request on the FortiGate A for the SSLVPN server certificate.
IP address(es) of the Interface(s) configured to accept SSLVPN connections on FortiGate A should be resolved as FQDN sslvpn.test.local in order to avoid certificate warnings while trying to connect to the sslvpn.
- Download Certificate Sign Request and upload it to CA to generate the certificate:
Download the CSR file (file will be saved as sslvpn-server-cert.csr)
Log on to Root Certification Authority Web Enrollment Site with the domain Admin account.
Edit sslvpn-server-cert.csr with the text editor, copy the certificate request, and paste it to the 'Saved Request' field
Once submitted, download the certificate
After downloading the certificate, upload it to the FortiGate A:
- Configure SSL VPN on FortiGate and use a freshly imported certificate as a Server Certificate:
- Be sure to configure SSLVPN authentication rules and firewall policies:
config user group
edit "sslvpn-users"
set member "spoke1" "spoke2"
end
config vpn ssl settings
set servercert "sslvpn-server-cert"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 1443
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "no-access"
config authentication-rule
edit 1
set groups "sslvpn-users"
set portal "tunnel-access"
next
end
config firewall policy
edit 1
set name "sslvpn tunnel mode access"
set srcintf "ssl.root"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set groups " sslvpn-users"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "sslvpn tunnel mode access"
set srcintf "ssl.root"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set groups " sslvpn-users"
set action accept
set schedule "always"
set service "ALL"
next
end
- On FortiGate B configure pki peer, SSLVPN tunnel interface, SSLVPN client and appropriate firewall rules:
Note:
CA_Cert_2 is the CA Certificate that was imported previously on FortiGate B.
config user peer
edit "peer"
set ca "CA_Cert_2"
next
end
config system interface
edit "sslvpn_tun"
set vdom "root"
set type ssl
set snmp-index 9
set interface "port1"
next
end
config vpn ssl client
edit "sslvpn-tunnel"
set interface "sslvpn_tun"
set user "spoke1"
set psk ENC **********
set peer "peer"
set server "sslvpn.test.lab" <----- Make sure to define the address of the SSL VPN server as the FQDN.
set port 1443
next
end
config firewall policy
edit 1
set name "11"
set srcintf "port2"
set dstintf "sslvpn_tun"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end
Results:
On FortiGate A:
diag vpn ssl list
[191:root]sconn=0x7f5a1c0e4f00, from(192.168.180.101) task=tunnel2_loop, fd=31(1:1),35(1:1),-1(0:0),-1(0:0),-1(0:0), pending=0
get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 spoke1 sslvpn-users 16(1) 294 26499 192.168.180.101 0/0 0/0 0
SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 spoke1 sslvpn-users 192.168.180.101 2301 104880/0 10.212.134.200
On FortiGate B:
FortiGate B # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] is directly connected, sslvpn_tun, [1/0]
C 10.212.134.200/32 is directly connected, sslvpn_tun
C 192.168.180.0/24 is directly connected, port1
Details of the SSLVPN connection on the SSLVPN client can be checked via command:
diag vpn ssl client peer list
Note:
By default, the PKI menu does not appear in GUI. The PKI menu is only available in the GUI after a PKI user has been created using the CLI. The CN can only be configured in the CLI. Use the command 'config user peer' as above to create a new PKI user.
