FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anoushiravan
Staff
Staff
Article Id 241205
Description This article explains the steps to configure two FortiGates which are acting as an SSL VPN client and SSL VPN server. It also explains how to reach internal resources behind the SSL VPN server, and how to access the internet on the SSL VPN client through the SSL VPN server.
Scope FortiGate.
Solution

Note:

As of FortiOS v7.6.3, the SSL VPN tunnel mode feature has been replaced with IPsec VPN tunnel, where users will be able to configure IPsec to use TCP port 443 for communication. Consider this in case of any trouble performing the next procedure. 

 

(SSL VPN Client) 10.109.16.186 wan1 ------> INTERNET -----> wan1 10.109.16.74 (SSLVPN server) ----> resources behind "10.146.0.0/20" and Internet Access like 8.8.4.4

 

Configuration steps for a FortiGate acting as SSLVPN Client:

 

  1. Configure the peer:

config user peer

edit "pki"

set ca "Fortinet_CA"

next

end

 

  1. Configure the SSL VPN interface:

 

config system interface

edit "sslvpn-client"

set vdom "root"

set allowaccess ping https ssh

set type ssl

set interface "wan1"

next

end

 

  1. Configure the SSL VPN client:

config vpn ssl client

edit "SSLVPN-Client"

set interface "sslvpn-client"

set user "sophia"

set psk 123456

set peer "pki"

set server "10.109.16.74"

set port 10443

set certificate "Fortinet_Factory"

set distance 11

next

end

 

Note: If the distance value is not changed under 'config vpn ssl client' setting when configuring, a default route of 0.0.0.0/0 through the SSL VPN interface will be automatically created on the FortiGate.

 

  1. Create a static route via SSL VPN interface to forward the traffic toward the resources behind SSL VPN server or internet:

config router static

edit 0

set dst 10.146.0.0 255.255.240.0

set device "sslvpn-client"

next

edit 0

set dst 8.8.4.4 255.255.255.255

set device "sslvpn-client"

next

end

 

Note: 8.8.4.4/32 in the above setting is an example value. Any public subnet/IP can be substituted into the above second static route

 

  1. When the SSL VPN client can connect to the SSL VPN server, a route with a connected type via the SSL VPN interface will be created:


get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.109.31.254, wan1, [1/0]
S 8.8.4.4/32 [10/0] is directly connected, sslvpn-client, [1/0]
C 10.109.16.0/20 is directly connected, wan1
S 10.146.0.0/20 [10/0] is directly connected, sslvpn-client, [1/0]
C 10.212.134.200/32 is directly connected, sslvpn-client

 

Configuration steps for a FortiGate acting as a SSLVPN server:

 

  1. Configure the local user:

 

config user local

edit "sophia"

set type password

set passwd 123456

next

end

 

  1. Configure the peer user:

 

config user peer

edit "pki"

set ca "Fortinet_CA"

next

end

 

  1. Config web portal:

 

config vpn ssl web portal

edit "tunnel-access"

set tunnel-mode enable

set ip-pools "SSLVPN_TUNNEL_ADDR1"

set split-tunneling disable

next

end

 

  1. Configure SSL VPN:

 

config vpn ssl settings

set servercert "Fortinet_Factory"

set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

set source-interface "wan1"

set source-address "all"

set source-address6 "all"

set default-portal "full-access"

    config authentication-rule

     edit 1

      set users "sophia"

      set portal "tunnel-access"

      set client-cert enable

      set user-peer "pki"

      next

     end

    end

 

  1. Configure policies to reach resources behind the FortiGate and the internet:

 

config firewall policy

edit 0

set name "Access-to-internet"

set srcintf "ssl.root"

set dstintf "wan1"  <----- To reach the internet.

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set nat enable

set users "sophia"

next

edit 0

set name "Access-to-internal-resources"

set srcintf "ssl.root"

set dstintf "port1"  <----- To reach internal resources.

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

set users "sophia"

next

end

 

The following debug outputs are from both the SSLVPN Client and the SSLVPN server, occurring when ping traffic is initiated from the client to the resources behind the SSLVPN server, as well as in an attempt to reach IP 8.8.4.4:

 

Results on the SSLVPN client side:

 

List the session entries on the SSLVPN client side:

 

diagnose sys session list clear
diagnose sys session list proto 1
diagnose sys session list

 

session info: proto=1 proto_state=00 duration=3 expire=57 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local nds
statistic(bytes/packets/allow_err): org=168/2/1 reply=168/2/1 tuples=2
tx speed(Bps/kbps): 42/0 rx speed(Bps/kbps): 42/0
orgin->sink: org out->post, reply pre->in dev=0->56/56->44 gwy=0.0.0.0/10.212.134.200
hook=out dir=org act=noop 10.212.134.200:3328->10.146.0.74:8(0.0.0.0:0)
hook=in dir=reply act=noop 10.146.0.74:3328->10.212.134.200:0(0.0.0.0:0)
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=0000e12c tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local

 

session info: proto=1 proto_state=00 duration=16 expire=44 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log local nds
statistic(bytes/packets/allow_err): org=168/2/1 reply=168/2/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org out->post, reply pre->in dev=0->56/56->44 gwy=0.0.0.0/10.212.134.200
hook=out dir=org act=noop 10.212.134.200:3072->8.8.4.4:8(0.0.0.0:0)
hook=in dir=reply act=noop 8.8.4.4:3072->10.212.134.200:0(0.0.0.0:0)
misc=0 policy_id=0 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=0000e05f tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local
total session 2

 

In the above session entries, the index of interfaces matches the other index of interfaces found in the session entries, as expected:

 

di ip address list
IP=10.109.16.186->10.109.16.186/255.255.240.0 index=25 devname=wan1
IP=192.168.100.99->192.168.100.99/255.255.255.0 index=26 devname=port1
IP=10.108.0.186->10.108.0.186/255.255.240.0 index=29 devname=port3
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=44 devname=root
IP=10.212.134.200->10.212.134.200/255.255.255.255 index=56 devname=sslvpn-client


Results on the SSL VPN server side:

 

  1. List the connected SSLVPN clients:

 

get vpn ssl monitor


SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 sophia 1(1) 172 26676 10.109.16.186 0/0 0/0 1

 

SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 sophia 10.109.16.186 2124 2272/2112 10.212.134.200

 

  1. List the session entries on the server side of the SSL VPN:

 

diagnose sys session filter clear
diagnose sys session filter proto 1
diagnose sys session list


session info: proto=1 proto_state=00 duration=3 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=sophia state=log may_dirty authed f00 acct-ext
statistic(bytes/packets/allow_err): org=336/4/1 reply=336/4/1 tuples=2
tx speed(Bps/kbps): 96/0 rx speed(Bps/kbps): 96/0
orgin->sink: org pre->post, reply pre->post dev=27->5/5->27 gwy=10.109.31.254/10.212.134.200
hook=post dir=org act=snat 10.212.134.200:3840->8.8.4.4:8(10.109.16.74:64256)
hook=pre dir=reply act=dnat 8.8.4.4:64256->10.109.16.74:0(10.212.134.200:3840)
misc=0 policy_id=2 pol_uuid_idx=516 auth_info=16777218 chk_client_info=0 vd=0
serial=000137b9 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x040108
no_ofld_reason: non-npu-intf

 

session info: proto=1 proto_state=00 duration=13 expire=50 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
user=sophia state=local may_dirty acct-ext
statistic(bytes/packets/allow_err): org=420/5/1 reply=420/5/1 tuples=2
tx speed(Bps/kbps): 31/0 rx speed(Bps/kbps): 31/0
orgin->sink: org pre->in, reply out->post dev=27->24/24->27 gwy=10.146.0.74/0.0.0.0
hook=pre dir=org act=noop 10.212.134.200:3584->10.146.0.74:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.146.0.74:3584->10.212.134.200:0(0.0.0.0:0)
misc=0 policy_id=3 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=0001375c tos=00/00 app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local
total session 2


In the above session entries, policy IDs 2 and 3 match traffic as expected.