We are considering migrating users from dialup SSL VPN to dialup IPsec VPN. Curious about best practices for optimum security as well as client ease of use. One question involves tunnel vs. split tunnel access. Is this an option when using IPsec VPN. Does all traffic go first to the FortiGate that the IPsec connection is made through, then to the web if the traffic is not local to the FortiGate?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
In a dial-up IPsec VPN, the topology is similar to SSL VPN in tunnel mode. Users connect to the FortiGate WAN interface, authenticate, and establish an encrypted tunnel. Internal resources are accessed based on firewall policies for their user group. In summary, no changes to the network topology are needed when migrating from SSL VPN to IPsec VPN.
Additionally, IPsec provides flexibility in selecting encryption algorithms, hashing methods, and key lifetime intervals, whereas SSL VPN automatically negotiates the cipher suite between the client and server.
1. Full Tunnel vs. Split Tunnel:
Full Tunnel Mode: In IPsec VPN, all the traffic from the remote user goes through the VPN to the FortiGate, including anything they do on the internet. This means everything is encrypted and inspected.
Split Tunnel Mode: Only traffic meant for the corporate network goes through the VPN. Internet traffic (like web browsing) goes directly to the internet, bypassing the FortiGate. This can reduce the load on the VPN and make things faster for regular internet use.
2. Best Security:
Full Tunnel Mode: This is the most secure because all traffic is encrypted and checked by FortiGate, keeping everything protected.
Split Tunnel Mode: It’s faster for users, but less secure since internet traffic doesn’t get inspected by FortiGate. Make sure there are extra security measures if you go this route.
3. User Experience:
Full Tunnel Mode: Simple for users because everything is handled through the FortiGate, making access seamless.
Split Tunnel Mode: Users get faster internet for non-work activities, which can make things feel smoother, especially for regular browsing.
Thanks Akilesh.
Is there a version of the document SSL VPN to IPsec VPN Migration for FortOS versions 6.2 and 7.2?
Here is the migration guide for SSL VPN to Dialup IP Sec VPN:
Regards,
Varun
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.