Description
This article describes how to use FortiManager to build IPsec VPN configuration prior to upgrading to FortiOS 7.6.3. As starting from FortiOS 7.6.3, SSL VPN tunnel mode is no longer supported. All existing configurations related to SSL VPN tunnel mode, including associated firewall policies, are not upgraded from previous versions to FortiOS 7.6.3.
Scope
FortiManager, FortiGate
Solution
Key components of SSL VPN tunnel mode and their equivalents in IPsec:
- Authentication Method: Currently used users/user groups should already be present in Policy Database in ADOM and can also be used in IPsec tunnel configuration as 'Xauth'.
- Peer ID: If different clients need access to different resources, peer-id can be used to differentiate where use of Xauth is not possible.
- Client IP Address range: If custom IP range was being used for Tunnel Mode client settings, the same or different address object can be used as IPv4 client IP range under 'Mode Config'.
- Internal/Protected network: This can be set as 'src-subnet', 'src-name', etc under phase2-interface config.
- Split tunnel: If split tunnel was enabled in SSL VPN then same can be set in IPSec under phase1-interface as option 'IPv4 split tunnel'.
- Policies: Same policies can be used but need to change interface from SSL VPN to IPsec tunnel.
There are various ways to build IPsec tunnels in FortiManager, like IPsec template, VPN Manager, CLI template and in Device Manager DB. In this article, the two most commonly used methods are explained. For more details, see these articles:
Note: Before upgrading FortiOS to 7.6.3, upgrade FortiManager to 7.6.3 and replace the SSL VPN tunnels with IPsec tunnels.
Related articles:
