SSL VPN with Split tunneling

capricorn80 · ‎09-19-2018

Hi!

I followed the follwing steps to create SSL vpn for specific group to have Split tunnling.

1. SSL-VPN Portals

Name: Dev

Tunnel Model: Enable

Enable Split tunneling

Routing address: Development-Servers

sourceIP: SSL-VPN-IP-Range

SSL Portal settings:

All the normal settings

Authentication/Portal mapping.

users/group: DeveloplmentGroup

RealM /Dev

Portal: Dev

Then I created policy:

SSL VPN to Dev-servers

incoming interface: SSL-VPN tunnetl interface (ssl.root)

outgoing interface: LAN

source: SSL-VPN-IP-Range, DeveloplmentGroup

service all.

NAT: Disabled.

So as per rule I need to create a rule for SSL VPN range policy going to internet.

Name: Dev vpn to internet

incoming internface: ssl.root

outgoinginterface: wan1

source: Development-Servers,

Group: DeveloplmentGroup

Destination: ALL

service: ALL

Then I get error

Failed to save some changes: Destination address of split tunneling policy is invalid. My VPN still works even if dont have this rule. One reason can be that I allow all traffic from inside to internet as I will create filter rules as this is new firewall. second I have another VPN with no split tunneling but it doesnt contain group -> DeveloplmentGroup. Pretty confused. Thanks if some one help in this.

Toshi_Esumi · ‎09-19-2018

At the last policy, the source address "Development-Servers" is not on incoming interface "ssl.root". You need to have two separate policies for SSL VPN clients' and Development-Servers' internet paths.

capricorn80 · ‎09-19-2018

Ok Let me double check this.

What about this.

This is from SSL VPN guide and I am getting similar error.

Do not use ALL as the destination address. If you do, you will see the “Destination address of Split Tunneling policy is invalid” error when you enable Split Tunneling.

If I have split tunning ON then from SSL.root interface to WAN1 I cannot use ALL in destination.

How its possible because I dont know the Internet destination for users connecting to it.

capricorn80 · ‎09-20-2018

@Thoshi!

My SSL vpn is working fine. I just checked with user account I created for this setup and I can go out to internet direct and can ping and RDP to the servers Development-Servers.

I am not sure why I need more rules for Development to go out to the internet. These servers are sitting inside of LAN.

If I understood correctly for SSL VPN you create two rules.

1. SSL.root to Inside

2. SSL.root to Internet

Thanks.

capricorn80 · ‎09-20-2018

I may understand some part of it.

Failed to save some changes: Destination address of split tunneling policy is invalid.

This is happening because I am using the same IP pool range which is already in use by SSL vpn withouth split tunneling on.

So if I use different VPN IP pool in portal settings then I can create access rule to internet with destination ALL.

So my second confusion was/is that althought I am not creating any rule for SSL VPN to outside when Split tunneling is on and still the traffic can go to internet. The reason for this can be that I am allowing all traffic from inside to outside.

So that means that although username/password is not use in the rule it still works with rule saying all traffic from inside is allowed to go to outside.

ede_pfau · ‎09-20-2018

Methinks there is a conceptual misunderstanding here.

"split tunneling", if enabled, changes the routing on the client side. It allows the client to send internet-bound traffic (that with destination addresses NOT belonging to the protected private subnet behind the FGT) to the local gateway. If split tunneling is disabled, ALL traffic will be routed through the tunnel to the remote FGT.

And only in this case you need an additional policy from SSL tunnel interface to WAN to allow inet access.

The warning you cited from the Handbook is about the primary policy which always is needed, the one from the SSL interface to the proteced subnet (e.g., LAN). Here, you cannot use 'ALL' as the destination address. Quite reasonable, right?

Ede

"Kernel panic: Aiee, killing interrupt handler!"

capricorn80 · ‎09-21-2018

Agree. In split tunneling only the traffic is encrypted for the Routing addresses. Totally forgotten that but morning fresh air restore that point :).

The "ALL" only work if you use different pool of addresses for your vpn. As I mentioned in my previous post I am able to use ALL with different pool of addresses.

ede_pfau · ‎09-21-2018

...but you don't have to - as you use split tunneling, you don't need to have a policy from SSLVPN to WAN. Instead, your clients use their "local breakouts". Or do I get the policy wrong?

Ede

"Kernel panic: Aiee, killing interrupt handler!"

capricorn80 · ‎09-21-2018

I dont have a policy for WAN as the traffic flows direct.

I was talking about LAN. I was trying to create for WAN but I dont need to.

You wrote about this:

The warning you cited from the Handbook is about the primary policy which always is needed, the one from the SSL interface to the proteced subnet (e.g., LAN). Here, you cannot use 'ALL' as the destination address. Quite reasonable, right?

You can have ALL in the destination address. There is no issue with that.