Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Holy
Contributor

VDOM 1 over root SSL VPN

hello everybody, i do some vdom testing in our company lab and i have one problem. I have 2 Vdom´s Root and VDOM1 they have a Vlink1 with no ip (0.0.0.0) the WAN and Internal Interfaces are in root Vdom. On the Internal interface i created a sub interface (Vlan77) for my Vdom to be able to access our lab Lan. i created static routes for LAN, and WAN (my Wan static root looks like 0.0.0.0 over vlink1) i created a Win7 VM Maschine and put it in Vlan77. I Also created the firewall policies properli, so now i am able to connect clients on my lan and i have access to the Internet. But i dont realy understand how to configure now the SSL VPN for my Vdom? Virtual interface on root mapping to my vlink1 doesnt work properly... any ideas? thank you in advance

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
7 REPLIES 7
Istvan_Takacs_FTNT

root VDOM: 1. SSL VPN policy to allow SSL VPN access to the firewall for user/group: from WAN to vlink from all to VLAN identity-based-policy: user/group name service ssl-vpn portal 2. Firewall policy to enable access to VLAN from ssl.root from ssl.root to vlink source all dst VLAN subnet service all/x VLAN vdom: 1. enable access from the other side of the vlink from vlink to VLAN src all dst VLAN subnet service all/x That should do it. As you said, you have static routes in place to point at the vlink in root VDOM to the VLAN and vice versa from VLAN vdom to root for SSL VPN subnet. Run diagnose sniffer packet any ' host VLAN IP' in root VDOM when you VPN in and ping the VLAN address. You can do the same in the VLAN vDOM to see the packet flow. ' diagnose debug flow' to check that no policy is blocking the access.
Holy

Hi, thank you that sounds good. i will try it tommorow. but what about the IP adress it should acces from the Internet? should i pick a spezific Port number for my Vdom1 ? because root Vdom allready has a VPN SSL

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
Holy

hmmm... the problem is.. i have only 1 public IP Adress. so i must use the Virtual IP on the root Vdom. but there i need my public Adress with a port the SSL VPN will connect to and an IP that will be mapped in my VDOM1. But my Vlink1 has an ip of 0.0.0.0 ... how can i solve this problem? if the Vlink1 had an private IP like 192.168.2.1 i could easely map it. but my vlink1 has no ip....

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
Istvan_Takacs_FTNT

Not sure if I understand it correctly, but what I think you have is this: Public IP - [root vDom] - unnumbered vDom link (root.vlink0) ---- unnumbered vDom link (root.vlink1) - [test vDom] -- private IP on VLANx What I suggested would work with this configuration. 2 policies on root vDom to enable SSL VPN in and than to enable traffic going to the vDom link from ssl.root. 1 policy in test vDom to enable traffic coming in from vDom link to LAN. You need static routes in root.vDom to lan subnet pointing at the vDom link (root.vlink0) And another static root in test vDom pointing at the SSL VPN subnet range via the vDom link (root.vlink1). If you configured it correctly the SSL VPN user as the minimum should be able to ping the firewall LAN IP address via the 2 vDoms. SSL VPN configuration only reguired on the vDOM (root in your case) where you configured the public IP so they can connect to it remotely. VDOM links don' t need to have IPs configured. Have a look at the documentation about the benefit to have/not to have IPs on them.
Holy

i allready set all the policies and routes right. the Problem is. right now u can accsess the SSL VPN root Vdom over a public ip adress 143.33.22.10:4443 (only an example adress) now i want to have SSL VPN Adress over 143.33.22.10:4444 (for example) so actualy i have to use the Virtual IP on root vdomm and mapp the 143.33.22.10:4443 to my Vdom1 over vlink. but i cant, because i have to enter an IP Adress for mapping public > private. I cant choose an Interface. So the only way to do it , is to give the vlink´s IP Adresses? you know what i mean?

NSE 8 

NSE 1 - 7

 

NSE 8 NSE 1 - 7
bcallan
New Contributor II

I know this is pretty old, but it took some digging and experimentation to figure this out for my situation, where I wanted each Tenant VDOM to retain control over SSLVPN authentication/settings, so I wanted to leave some crumbs for the next person. Here's what worked for me on FG200D with NAT root VDOM and multiple NAT tenant VDOMs. 1 - Create VDOM link between root and tenant VDOM with IP on each end (e.g. - root=10.10.10.9/30, tenant=10.10.10.10/30). 2 - Create VIP in root for external interface/IP mapped to tenant VLink IP (I also port-forwarded SSLVPN port). 3 - Create policy in root to permit from external interface to VLink interface, from All to VIP object, service=SSLVPN port, with NAT. You do lose visibility of client source address doing this, but that was acceptable for me. Alternatively you can disable NAT, but then you have to create a route to get back to the un-NAT'd source via the root VLink IP in the tenant VDOM, which could be troublesome if you have already have default routes going somewhere else; policy routes might help. 4 - Configure tenant SSLVPN portals and settings as desired, make sure to add tenant VLink interface to "Listen on Interfaces:" list or use "Any". In my case, I wanted to use only one external IP for all tenant SSLVPN portals, so each tenant has a unique SSLVPN listening port, and each VIP and policy in the root VDOM reflects that.
emnoc
Esteemed Contributor III

We have the same setup but a different approach

 

1: we have a sslvpn listener in  each tennant  & on the  intervdom link ( we route the public over this "wan link" )

 

2: fwpolicies that allow root vdim to that sslvpn listener

 

3: port 443 is used since each  public is a unique address within that vdom

 

4: a ldap-auth server for that vdom

 

5: a user local/group for that vdom

 

6: obviously  correct sslvpn policies per-vdom

 

The vip approach would  work just fine also and you can move all  vips at  wan1 ( for example ) of vdm-root and chew up a ipv4-address at the root-vdom.

 

In each case "root" vdom is the controlling factor   6 or half-dozen  but the same outcome. fwpolicies sessions are in all vdoms that are applicable

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors