Description
This article describes how, with SSL VPN, it is possible to provide access to external clients to different internal resources based on user login credentials.
With IPsec, this is not possible as user authentication is exchanged in phase1 and all users in the group defined will access the resources defined in phase2 for Dialup VPN tunnel.
With site to site there is no user authentication happening therefore the access can be manipulated in phase2 or firewall policies by limiting subnets or hosts to only access specific resources on the remote site.
Each portal with tunnel-mode enabled represents another tunnel or connection, for which reason it is mandatory to define different IP range per portal to clients and it should not overlap with other IPs used in the network.
This will also help providing different access depending on the source IP (IP given to the client inside the tunnel).
With IPsec, this is not possible as user authentication is exchanged in phase1 and all users in the group defined will access the resources defined in phase2 for Dialup VPN tunnel.
With site to site there is no user authentication happening therefore the access can be manipulated in phase2 or firewall policies by limiting subnets or hosts to only access specific resources on the remote site.
Each portal with tunnel-mode enabled represents another tunnel or connection, for which reason it is mandatory to define different IP range per portal to clients and it should not overlap with other IPs used in the network.
This will also help providing different access depending on the source IP (IP given to the client inside the tunnel).
Scope
All FortiGates.
Solution
In this example it is assumed that user test1 gets 1.1.1.2 and test2 gets 2.2.2.2.
Test1 should connect via wan1 and test2 via wan2. Test1 should only access network 192.168.6.0/24, while test2 should access both 192.168.5.0/24 and 192.168.1.0/24.
Split tunneling is used in this example.
In order to achieve this scenario the configuration should look like this:
Test1 should connect via wan1 and test2 via wan2. Test1 should only access network 192.168.6.0/24, while test2 should access both 192.168.5.0/24 and 192.168.1.0/24.
Split tunneling is used in this example.
In order to achieve this scenario the configuration should look like this:
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "1.1.1.0" "2.2.2.0"
set port 10443
set source-interface "wan1" "wan2"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set source-interface "wan1"
set source-address "all"
set users "test1"
set portal "First"
next
edit 2
set source-interface "wan2"
set source-address "all"
set users "test2"
set portal "Second"
next
end
end
set servercert "Fortinet_Factory"
set tunnel-ip-pools "1.1.1.0" "2.2.2.0"
set port 10443
set source-interface "wan1" "wan2"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set source-interface "wan1"
set source-address "all"
set users "test1"
set portal "First"
next
edit 2
set source-interface "wan2"
set source-address "all"
set users "test2"
set portal "Second"
next
end
end
Portal configuration:
config vpn ssl web portal
edit "web-access"
next
edit "First"
set tunnel-mode enable
set web-mode enable
set ip-pools "1.1.1.0"
set split-tunneling enable
set theme green
set split-tunneling-routing-address "192.168.6.0/24"
next
edit "Second"
set tunnel-mode enable
set web-mode enable
set ip-pools "2.2.2.0"
set split-tunneling enable
set theme orange
set split-tunneling-routing-address "192.168.1.0/24" "192.168.5.0/24"
next
end
Firewall policies to allow this traffic:
config firewall policy
edit 0
set srcintf "ssl.root"
set dstintf "lan6"
set srcaddr "1.1.1.0/24"
set dstaddr "192.168.6.0/24"
set action accept
set schedule "always"
set service "ALL"
set users "test1"
next
edit 0
set srcintf "ssl.root"
set dstintf "lan1"
set srcaddr "2.2.2.0/24"
set dstaddr "192.168.1.0/24"
set action accept
set schedule "always"
set service "ALL"
set users "test2"
next
edit 0
set srcintf "ssl.root"
set dstintf "lan5"
set srcaddr "2.2.2.0/24"
set dstaddr "192.168.5.0/24"
set action accept
set schedule "always"
set service "ALL"
set users "test2"
config router static
edit 1
set dst 1.1.1.0 255.255.255.0
set device "ssl.root"
edit 2
set dst 2.2.2.0 255.255.255.0
set device "ssl.root" <- With split tunneling enabled, only traffic to remote networks will be encapsulated. Internet traffic will go via the default route of the client.
Follow the steps in this document for for version 7.0 and later.
