- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remote access vpn - ssl tunnel mode vs ipsec tunnel
What is the difference between Remote-access ipsec vpn vs ssl vpn (tunnel mode). as i understand ssl provide layer7 security with web mode, and l3 security with tunnel mode.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use SSLVPN client-less, that is, from any browser, this is called web mode or portal mode. The portal only supports some protocols as proxy which might or might not meet your needs.
Then, you can install SSLVPN in tunnel mode which allows you to use any protocol. On the remote side you need the (free) FortiClient software for this.
SSLVPN has a much higher impact on the FGT's CPU as it cannot be offloaded onto a hardware acceleration chip. You find the recommended maximum SSL VPN users for each model in the Maxium Values table available on docs.fortinet.com.
IPsec on the other hand is typically used for site-to-site tunnels but is suitable for host-to-site settings as well. You will always need a software client for IPsec on the host which is this case could be again the FortiClient. All protocols are supported across the tunnel.
I personally prefer IPsec remote dialin as it scales far further than SSLVPN. Even the smalles desktop FGT can sustain dozens of IPsec tunnels without problems.
The only scenario where SSLVPN is superior is when the remote user is located in, for instance, a hotel. Some hotel Wifi/LANs do not permit non-standard ports (for no reason at all). IPsec at least needs UDP ports 500 and 4500 outbound to work. In this case, SSLVPN (using the HTTPS port 443) is the only way out. Luckily, you can configure both and let your users use SSLVPN as a fallback. You can even reuse the user group for both kinds of VPN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay two reasons, SSLVPN is ideal when you don't want to offer a remot-client to various hosts OSes or you only need a web-portal-only setup.
IPSEC is well support and most devices has a native IPSEC client ( iphone android winOS MACOSX linux ) , so it's a open standard and does not require a sslvpn_unique_vendor client. or ipsec clients are freely available.
The problems you will encounter with both are access from remote networks outside of your domain
1: some might not allow ipsec as what Ede point out( protocol 50 and IKE could be blocked )
2: some might have a local http/https proxy which will break more SSLVPN tunnel-mode ( again transparent or explicit proxies or even url categorization policies )
3: IPSEC dynamic-tunnels are more immune against MiTM , where SSLVPN web-mode or even tunnel-mode could easily be MiTM and unknown to the end-users
4: Since more individuals are trusting of the CA model and most SSLVPn deployments do not install a CAtrusted Cert ( the SelfSign Fortinet cert for example ) , they would have no knowledge if they are MiTM or tampered by some unknown appliance ( in regards to #4 )
You pick your options and go what you need. SSLVPN will also be more process intensive than IPSEC imho. So if you had 50 ipsec-dynamic tunnels , vrs 50 sslvpn tunnels, that latter based on my experience , will always consume more CPU/memory.
Things to considered
1: what end-points need remote access
2: do you need only portal like access
3: do you need to assign and tunnel traffic
4: does all of the end-points support sslvpn tunnel-mode and does a client exist ( OSes support )
5: Do you need any of the other security features of the Forticlient
6: do you need to enforce policy for the remote-client ( again the Forticlient does this or has that allowance )
7: do you need CAissues certs
8: do you need mutual client-side-cert
9: can you use need MFA or hybrid-authentication
10: can you risk a MiTM device between vpn-gw and "remote client"
One is not always better than the other, so always research your needs , goals, requirements ;)
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A couple of things I want to comment in addition to Ede's and Ken's:
-Tunnel mode SSL vpn is available only with FortiClient starting from some point in the past for a vulnerable issue if I remember correctly.
-From user's aspect, only one IPsec vpn can be established from one source IP. You can't set two IPsecs up behind the same NAT, like two employees at the same hotel trying to setup a VPN from their laptops. Only one comes through. With SSL VPN, it doesn't matter.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can't set two IPsecs up behind the same NAT, like two employees at the same hotel trying to setup a VPN from their laptops. Only one comes through
hmm.... With xAUth the peer.id is identified with in the IKE exchange. So I have to disagree. This is how multiple sources behind a NAT can established dynamic-vpns.
Each IKE tunnel would be the same src ( different source.port ) and each client tunnel is unique due to the IKE peer-id
Ken
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I'll test it later.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was wrong. I set up a dialup vpn at FG50E via GUI (to avoid any bias) and I'm not connected from two PCs to it via the same NAT. I even used the same user account. Both are up and functioning.
My apologies.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
English problem: I'm connected from two PCs...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was wrong. I set up a dialup vpn at FG50E via GUI (to avoid any bias) and I'm not connected from two PCs to it via the same NAT. I even used the same user account. Both are up and functioning. My apologies
No worries, I just wanted to correct you. The IKE peers will always display this in the diag vpn ike gateway output iirc
PCNSE
NSE
StrongSwan
