Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FortiOS 5.2.X - Tunnel mode SRC IP configurati...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiOS 5.2.X - Tunnel mode SRC IP configuration
When configuring an SSLVPN in tunnel mode why do we have to specify source IP information in the VPN > SSL > SETTINGS screen under Tunnel Mode Client Settings as well as in VPN > SSL > PORTALS in the Source IP Pools field when checking Enable Tunnel Mode?
If I don't get an answer I will lab it up and find out but I'm hoping to save some time. I suspect it has to do with Authentication/Portal Mapping but I would like some confirmation on that.
Does the settings config assign the IP ranges that WILL be used when a tunnel mode client connects and the Portal setting is used separately to define configuration sent to the Forticlient for remote policy definition?
Are they purely redundant configuration fields?
Does one setting just give you more granular control over assigned IPs to specific users/groups? ie Does the IP pool in the portal config trump the IP Ranges value in the settings config? (This would seem silly to me since you have to define a portal even if it is just to the All Other Users/Groups portal mapping field.)
Network Engineer
Solved! Go to Solution.
Network Engineer
Labels:
- Labels:
-
5.2
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know if they are redundant, but I believe you need the settings if you wanted to achieve a different src pool for tunnel-mode and portal clients. And yes, so what ever is under the main cfg is trumped by the port definitions.
e.g my webportal
config vpn ssl web portal edit "socgroup012" set tunnel-mode enable set ipv6-tunnel-mode enable set web-mode enable set ip-pools "SSLVPN_012GROUP" set split-tunneling disable set ipv6-pools "SSLVPN_IPv6_012GROUP" next end
and here's my main cfg;
config vpn ssl settings set sslv3 disable set servercert "Fortinet_Factory" set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set port 8767 set source-interface "wifi" set source-address "all" set source-address6 "all" set default-portal "default" config authentication-rule edit 1 set groups "SSL1" set portal "socgroup012" next end end
So I believe if you look at it; " yes it redundant".
What I do know, if you remove the main tunnel mode cfg src pool address, the user will still work and be assigned a client address via the defined pool src_ip_pool for the specific portal.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know if they are redundant, but I believe you need the settings if you wanted to achieve a different src pool for tunnel-mode and portal clients. And yes, so what ever is under the main cfg is trumped by the port definitions.
e.g my webportal
config vpn ssl web portal edit "socgroup012" set tunnel-mode enable set ipv6-tunnel-mode enable set web-mode enable set ip-pools "SSLVPN_012GROUP" set split-tunneling disable set ipv6-pools "SSLVPN_IPv6_012GROUP" next end
and here's my main cfg;
config vpn ssl settings set sslv3 disable set servercert "Fortinet_Factory" set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set port 8767 set source-interface "wifi" set source-address "all" set source-address6 "all" set default-portal "default" config authentication-rule edit 1 set groups "SSL1" set portal "socgroup012" next end end
So I believe if you look at it; " yes it redundant".
What I do know, if you remove the main tunnel mode cfg src pool address, the user will still work and be assigned a client address via the defined pool src_ip_pool for the specific portal.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is excellent information! Enough for me to move forward with my documentation. The audience for the docs I'm writing wouldn't understand a more detailed explanation anyway. :)
Of course my curiosity is peaked so if I can find a few minutes in the day I think I will lab up a couple of scenarios. I would really like an answer from the developer's as to what the thought was here or was it a missed holdover from old code. Perhaps a query to my SE is in order.
Thank you!!
Network Engineer
Network Engineer
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is kind of an old thread, but I was wondering the same thing.
My lab test confirms that the ip pool in the portal settings has precedence over the global vpn ssl Settings, when using tunnel mode. But if I use the web portal to access the internal network, it will use the web portal external ip address as the source IP.
So still not clear to me, when actually the ip pool is used in the global vpn settings.
But what makes me really wonder, why is there no route visible to the ssl.root interface? Shouldn't there be a connected entry in the routing table? get router info routing-table detail doesn't show me the expected entry.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it:
FG01 (root) # get router info kernel
tab=254 vf=0 scope=0 type=1 proto=14 prio=10 0.0.0.0/0.0.0.0/0->10.23.23.210/32 pref=0.0.0.0 gwy=0.0.0.0 dev=16(ssl.root)
tab=254 vf=0 scope=0 type=1 proto=14 prio=10 0.0.0.0/0.0.0.0/0->10.23.23.208/31 pref=0.0.0.0 gwy=0.0.0.0 dev=16(ssl.root)
...
Only the route to the portal VPN pool is visible, there is no route for the global vpn setting.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you install route ( static ) for the vpn pool with the gateway as ssl.root ?
e.g
show router static
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No I didn't:
FG01 (root) # show router static
config router static
edit 2
set gateway 192.168.1.1
set distance 255
set device "port2"
next
edit 3
set dst 10.1.4.0 255.255.255.0
set device "Tunnel4"
next
end
FG01 (root) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [5/0] via 192.168.1.1, port2
C 1.1.1.1/32 is directly connected, Loopback1
S 10.1.1.0/24 [15/0] is directly connected, Hub Tunnel_1
S 10.1.4.0/24 [10/0] is directly connected, Tunnel4
C 172.16.50.0/30 is directly connected, FG1_1-root0
C 172.16.50.1/32 is directly connected, FG1_1-root0
C 172.16.50.4/30 is directly connected, FG1_2-root0
C 172.16.50.5/32 is directly connected, FG1_2-root0
C 172.16.50.8/30 is directly connected, FG1_3-root0
C 172.16.50.9/32 is directly connected, FG1_3-root0
C 172.16.50.12/30 is directly connected, FG1_4-root0
C 172.16.50.13/32 is directly connected, FG1_4-root0
C 192.168.1.0/24 is directly connected, port2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you need something like the following;
config router static edit 20 set dst 10.10.14.0 255.255.255.0 set device "ssl.root" next
10.10.14.0 would be your sslvpn pool address netwrk
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The original question was, why are there two different IP Pools configurable in the SSLVPN settings: One in the global vpn settings and the other one in the sslvpn portal settings. When is this global sslpvn ip-pool actually used?
Meanwhile I found out that in the GUI the ip pool setting is a required field for the portal settings. So it will never user the value configured in the global vpn ssl setting.
In the CLI (#config vpn ssl web portal) the ip-pool setting is optional. And if it is not set, then it will use the global vpn ssl setting (by default: SSLVPN_TUNNEL_ADDR1).
GUI:
CLI: (set ip-pools is not mandatory)
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set web-mode enable
set save-password enable
set split-tunneling disable
set heading "Full-Access"
set page-layout double-column
set theme crimson
next
end
My 2nd question was, why I couldn't see a route to this ip-pool and sslvpn interface, even when a sslvpn client is connected. The answer:
It will create the appropriate routes automatically, but the routes are only visible in the Forward Information DB (#get router info kernel).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The original question was, why are there two different IP Pools configurable in the SSLVPN settings: One in the global vpn settings and the other one in the sslvpn portal settings. When is this global sslpvn ip-pool actually used?
The ip pool cfg in the specific pool ovveride any global that should answer the 1st part.
My 2nd question was, why I couldn't see a route to this ip-pool and sslvpn interface, even when a sslvpn client is connected. The answer:
Than you need a route in the route table for the pool regardless, without this the packets will drop from uRPF
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- SD-WAN(ish) design 22 Views
- Uneven CPU Load Distribution on FortiGate... 28 Views
- [Help] SD-WAN with BGP on Loopback... 273 Views
- Fortigate Rugged 60F unable to HA... 158 Views
- How configure SO FortiOS by server... 214 Views
Labels
-
FortiGate
8,476 -
FortiClient
1,719 -
5.2
801 -
FortiManager
713 -
5.4
639 -
FortiAnalyzer
548 -
FortiAP
458 -
FortiSwitch
457 -
6.0
416 -
FortiClient EMS
408 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
200 -
5.0
196 -
IPsec
186 -
FortiNAC
179 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.