Created on
‎12-28-2022
02:18 AM
Edited on
‎06-25-2025
10:30 AM
By
Stephen_G
Description | This article explains the steps to configure two FortiGates which are acting as an SSL VPN client and SSL VPN server. It also explains how to reach internal resources behind the SSL VPN server, and how to access the internet on the SSL VPN client through the SSL VPN server. |
Scope | FortiGate. |
Solution |
Note: As of FortiOS v7.6.3, the SSL VPN tunnel mode feature has been replaced with IPsec VPN tunnel, where users will be able to configure IPsec to use TCP port 443 for communication. Consider this in case of any trouble performing the next procedure.
(SSL VPN Client) 10.109.16.186 wan1 ------> INTERNET -----> wan1 10.109.16.74 (SSLVPN server) ----> resources behind "10.146.0.0/20" and Internet Access like 8.8.4.4
Configuration steps for a FortiGate acting as SSLVPN Client:
config user peer edit "pki" set ca "Fortinet_CA" next end
config system interface edit "sslvpn-client" set vdom "root" set allowaccess ping https ssh set type ssl set interface "wan1" next end
config vpn ssl client edit "SSLVPN-Client" set interface "sslvpn-client" set user "sophia" set psk 123456 set peer "pki" set server "10.109.16.74" set port 10443 set certificate "Fortinet_Factory" set distance 11 next end
Note: If the distance value is not changed under 'config vpn ssl client' setting when configuring, a default route of 0.0.0.0/0 through the SSL VPN interface will be automatically created on the FortiGate.
config router static edit 0 set dst 10.146.0.0 255.255.240.0 set device "sslvpn-client" next edit 0 set dst 8.8.4.4 255.255.255.255 set device "sslvpn-client" next end
Note: 8.8.4.4/32 in the above setting is an example value. Any public subnet/IP can be substituted into the above second static route
Routing table for VRF=0
Configuration steps for a FortiGate acting as a SSLVPN server:
config user local edit "sophia" set type password set passwd 123456 next end
config user peer edit "pki" set ca "Fortinet_CA" next end
config vpn ssl web portal edit "tunnel-access" set tunnel-mode enable set ip-pools "SSLVPN_TUNNEL_ADDR1" set split-tunneling disable next end
config vpn ssl settings set servercert "Fortinet_Factory" set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set source-interface "wan1" set source-address "all" set source-address6 "all" set default-portal "full-access" config authentication-rule edit 1 set users "sophia" set portal "tunnel-access" set client-cert enable set user-peer "pki" next end end
config firewall policy edit 0 set name "Access-to-internet" set srcintf "ssl.root" set dstintf "wan1" <----- To reach the internet. set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set nat enable set users "sophia" next edit 0 set name "Access-to-internal-resources" set srcintf "ssl.root" set dstintf "port1" <----- To reach internal resources. set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set users "sophia" next end
The following debug outputs are from both the SSLVPN Client and the SSLVPN server, occurring when ping traffic is initiated from the client to the resources behind the SSLVPN server, as well as in an attempt to reach IP 8.8.4.4:
Results on the SSLVPN client side:
List the session entries on the SSLVPN client side:
diagnose sys session list clear
session info: proto=1 proto_state=00 duration=3 expire=57 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
session info: proto=1 proto_state=00 duration=16 expire=44 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
In the above session entries, the index of interfaces matches the other index of interfaces found in the session entries, as expected:
di ip address list
get vpn ssl monitor
SSL-VPN sessions:
diagnose sys session filter clear
session info: proto=1 proto_state=00 duration=13 expire=50 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.