Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jon_Fleming
New Contributor

SSL VPN for Dummies like me

The instructions in the PDF files just plain don' t work. Here' s how I got my SSL VPN working, with lots of help from Bob Patterson. (In addition, the Fortigate MR7 and MR7 Patch 1 firmware have a bug that disconnects SSL VPN sessions repeatedly. The standalone SSL client reconnects, but it' s still a problem for many applications. Currently I' m on MR6 Patch 3.)
Assumptions: Internal network is 192.168.0.0/255.255.255.0 DHCP/DNS/WINS server is 192.168.250.0 Desired range of SSL client IP addresses is 192.168.32.0/255.255.255.0 (must be different from the internal network!) You want to enable split tunneling (which lets your clients use their local pipe for traffic that' s not destined for your internal network) Make appropriate substitutions for these where you see them below. OK, off we go:
VPN -> SSL -> Config tab Enable SSL VPN Tunnel IP range could be 192.168.32.1-192.168.32.255 ... but make it 0.0.0.0/0.0.0.0. We' ll set up the IP range below. Do not check Require Client Certificate Encryption Key Algorithm: High Idle timeout big, like 3600 Under Advanced: both DNS and WINS server 1 192.268.0.250 (i.e. the server' s IP) User -> User Group Create an SSL_Users user group Type SSL VPN Add any local users and/or user groups from Users on Radius/LDAP/TCACS+ servers Options: Enable SSL-VPN Tunnel checked Allow Split Tunneling checked (You may need to disable split tunneling, go through the rest of the setup and come back to enable split tunneling) IP range 192.168.0.32.1-192.168.32.254 (this is the range of IP addresses that will be assigned to clients in this group ... you could set up another group with a different range)) Enable Web Application: check all That' s all. Firewall -> Address -> Address tab Create an SSL_Destinations group Type Subnet / IP Range Subnet / IP Range 192.168.0.0/255.255.255.0 (i.e your internal network) Interface any Firewall -> Policy Source external port (e.g. Wan1) Source Address all Destination ssl.root, Destination address SSL_Destinations (the address group created in the previous step). Schedule Always Service Any Action SSL-VPN Cipher strength high User authentication any, Add the SSL_Users user group created above Firewall -> Policy Source ssl.root Source address all Destination internal Destination address all Schedule Always Service Any Action Accept Router -> Static Destination IP/mask 192.168.0.0/255.255.255.0 (i.e. the internal network; must be IP/mask format) device ssl.root distance 10 Now you can go back to User -> Group, edit the SSL_VPN user group, and check Allow Split Tunneling.
7 REPLIES 7
mbrowndcm
New Contributor III

I' m actually having a funky issue with DNS, and the policy WAN1>ssl.root and the route will probably solve it. Thanks very much! Matt
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
Not applicable

I' m not having any luck going WAN -> ssl.root ->internal 1 but I can get WAN -> internal SSL_VPN working. Is this a big deal? I didn' t see it mentioned in the SSLVPN documentation. I' m still getting a split tunnel error after I tried this. Any help would be appreciated.
rwpatterson
Valued Contributor III

Welcome to the forums The way to configure SSL VPN has all to do with the firmware version you are currently running. After v3 MR5, the ' wanx > internal' path has been changed to ' wanx > ssl.root > internal' . If your firmware version is MR5 or less, then you are configured correctly.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

Thanks for the welcome. I just upgraded to MR7 Patch2 and I' ll try reconfiguring it. Thanks.
rwpatterson
Valued Contributor III

You' re welcome. Make sure to add the static route back to ssl.root for the SSL VPN IP addresses...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Not applicable

Well, I solved why I couldn' t get split tunnel working. On WAN1 I had set to ' Any' and internal4 set to SSL_internal. I created a group called SSL_External with 0.0.0.0/0.0.0.0 the changed the source to SSL_External and the Destination to SSL_Internal and now it works.
Not applicable

This does not work, it is not accepted by the config: VPN -> SSL -> Config tab Enable SSL VPN Tunnel IP range could be 192.168.32.1-192.168.32.255 ... but make it 0.0.0.0/0.0.0.0. We' ll set up the IP range below. So, I put in the range I want for the assignment, and now I can' t add a range to the Split Tunnel section... GRRR any ideas?
Labels
Top Kudoed Authors