SSLVPN question:Internal traffic & Internet traffic

wcbenyip · ‎07-20-2006

It' s proved that the sslvpn tunnel cannot allow you to access the Internet resource using your own Internet connection IF WITHOUT uncheck the option to use the gateway on vpn end in your fortissl virtual adapter. Once you have unchecked the option, then ONLY the traffic to the destination subnets would be forced to use the sslvpn tunnel, otherwise, the rest normal Internet traffic would be forwarded to your local Internet connection. ------------------------------------------------------------------------------------------------- The above scenario is based on the sslvpn client would be assigned the IP range on the same subnet as destination network. Now, I would like to set another dedicated subnet for the sslvpn clients to access the company resource, a secondary ip in the subnet has been created on the internal interface (port1), but I found that there is some issue: 1/ If I keep uncheck the option to use remote gateway on vpn end, I cannot access to the company subnets, but able to access Internet~ 2/ If I checked the option to use remote gateway on vpn end, then I can access to internal subnets, but cannot access Internet~ Any idea?

Protect yourself~ http://www.secunia.com MBCS CEH FCNSA

Report Inappropriate Content · ‎07-21-2006

Unfortunately, split-tunnel only works if ip addresses assigned to ssl vpn users are within the internal network range.

wcbenyip · ‎07-21-2006

Now, I have set a fw policy (port2-port2) to allow the SSLVPN clients to access the Internet via the company Internet connection. The sslvpn clients are remain using the subnets other than office.

Protect yourself~ http://www.secunia.com MBCS CEH FCNSA

Report Inappropriate Content · ‎07-21-2006

Eric, I have split tunneling working fine using a subnet range that is not within my internal subnet range. I am using 192.168.0.0 for the internal range and 10.0.0.50-100 for the SSLVPN range. I do not have the use remote gateway option selected in the Fortissl adapter, and I do have the tunneling option checked within the Fortigate. FWIW, I am also running a remote client IPSEC VPN on the range of 10.0.0.2-49, but I wouldnt think this would have any effect. So far, file shares and RDP sessions to my Windows 2003 server work fine over the SSLVPN, however, I have not been able to ping out from the server and reach the SSL VPN clients. Is this by design, or do I need to do something else? Oh- FG60 running MR2, build 316.

Report Inappropriate Content · ‎07-22-2006

I am having a slightly different problem. I have am using the SSL tunneling protocol and get loggged in fine. I am on a different subnet than my LAN (LAN 10.111.215.0) (SSL 10.111.230.1-10). The tunnel builds just fine and and I can see all of my servers within my LAN however I am unable to browse out to the internet. It seems like a firewall issue but I have tried source all and destination all (0.0.0.0) and still can not get out to the internet. I do not want to have a split tunnel as I want to encrypt all of my Internet traffic when I am on a suspect wireless network, but I am just not able to get it to browse out to the net. I have checked the fortissl adapter and the use remote gateway is check marked. Are there any other ideas out there as to why I am not able to browse. Thanks. PLN

wcbenyip · ‎07-25-2006

Thx all of you.

Please let me to conclude what we have tried and worked: 1/ The splitting tunnel is NOT only work for the same subnet, if your sslvpn cllients are assigned another subnet other than your office one, it also works~ 2/ If you want to REDIRECT ALL TRAFFIC from your sslvpn clients to your company network and let the Internet traffic going thru your compan' s Internet connection, you need to leave the ' use remote gateway..' option as default (checked) on your fortissl adapter, and then create an dedicated port2-to-port2 (wan-to-wan) fw policy to allow the sslvpn subnets (hosts) accessing the Internet. 3/ If you assign another subnet for your sslvpn client other than your office internal subnet(s), it' s NOT necessary to set the secondary ip on your FG box' s internal interface~ 4/ Even in v3.0mr1, there is no splitting tunnel mode, you can still split the normal Internet traffic (using your local Internet connection) and the sslvpn encrypted traffic to your office internal networks (via the sslvpn tunnel) - Just uncheck the option of ' use remote gateway...' on your sslvpn adapter. Pnelson: Please refer to above point 2 in your case, it should works for you!

Protect yourself~ http://www.secunia.com MBCS CEH FCNSA

Report Inappropriate Content · ‎07-28-2006

I must be doing something wrong trying to get internet traffic to flow through the fortigate box that I have an ssl connection to. I have created the external to external firewall rule as suggested. I have check marked us remote gateway in the fortissl adapter. My settings in the FW rule are external ssl_vpn - this is the address block of the subnet that carries the ssl clients external all always any ssl_vpn medium cipher strength user auth - local allowed group - sll_vpn (this group is my ssl group in addresses) Nat is turned on Am I missing something? Thanks.

Report Inappropriate Content · ‎07-31-2006

Unless something has changed in MR2... To do a split tunnel you need to uncheck the " use remote gateway" on the Fortinet adapter. Log into the SSL-VPN and then add a static route on your pc. Example: Internal FG network: 192.168.1.0/24 SSL-VPN assigned ip range: 192.168.32.0/24 SSL-VPN clients ip address: 10.0.0.0 Unchecking the " Use remote gateway" box will allow you connect to the SSL-VPN and use your local internet. You won' t be able to access anything on the VPN network. Open a command prompt and type in: " route add 192.168.1.0 mask 255.255.255.0 <your SSL-VPN adapter IP (10.0.0.1)>" Split tunnel now works fine.

Report Inappropriate Content · ‎07-31-2006

I am not trying to use a split tunnel, I want all traffic to flow through my router at my house when I am roaming on strange wireless networks. I can build the SSL Tunnel just fine and can browse servers at my house, I just can not get the path back out to the net to work. I am sure that it is a FW rule issue I just can' t seem to get that path build correctly. Thanks.

wcbenyip · ‎07-31-2006

mwehnes: thanks for your indication~ But I am just talking about MR1, and don' t you think it' s quite trouble to the end-users if we need them to add an individual static route on their own PC each time? Besides, as pnelson said, some case we want ALL of the traffic going thru the FG box on the remote site instead of allowing the normal Internet traffic thru local connection. PNelson: you setting should be OK.... I forgot whether this is true... but I tried that the same way with user auth. like your case, and found out the User Auth. under sslvpn tunnel doesn' t work!! So you may try to disable the user auth. first and attempt to connect to Internet, I think it should working now~ Good Luck!

Protect yourself~ http://www.secunia.com MBCS CEH FCNSA

SSLVPN question:Internal traffic & Internet traffic

Nominate a Forum Post for Knowledge Article Creation