Fortinet white logo
Fortinet white logo

Administration Guide

FortiGate as SSL VPN Client

FortiGate as SSL VPN Client

The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type. When an SSL VPN client connection is established, the client dynamically adds a route to the subnets that are returned by the SSL VPN server. Policies can be defined to allow users that are behind the client to be tunneled through SSL VPN to destinations on the SSL VPN server.

FortiOS can be configured as an SSL VPN server that allows IP-level connectivity in tunnel mode, and can act as an SSL VPN client that uses the protocol used by the FortiOS SSL VPN server. This allows hub-and-spoke topologies to be configured with FortiGates as both the SSL VPN hub and spokes.

For an IP-level VPN between a device and a VPN server, this can be useful to avoid issues caused by intermediate devices, such as:

  • ESP packets being blocked.

  • UDP ports 500 or 4500 being blocked.

  • Fragments being dropped, causing IKE negotiation that uses large certificates to fail if the peer does not support IKE fragmentation.

If the client specified destination is all, a default route is effectively dynamically created on the SSL VPN client, and the new default route is added to the existing default route in the form of ECMP. Some examples how to configure routing are:

  • To make all traffic default to the SSL VPN server and still have a route to the server's listening interface, on the SSL VPN client set a lower distance for the default route that is learned from the server.

  • To include both default routes in the routing table, with the route learned from the SSL VPN server taking priority, on the SSL VPN client set a lower distance for the route learned from the server. If the distance is already zero, then increase the priority on the default route.

  • To avoid a default being learned on the SSL VPN client, on the SSL VPN server define a specific destination.

Example

In this example, the home FortiGate (FGT-A) is configured as an SSL VPN client, and the company FortiGate (FGT-B) is configured as an SSL VPN server. After FGT-A connects to FGT-B, the devices that are connected to FGT-A can access the resources behind FGT-B.

The SSL VPN server has a custom server certificate defined, and the SSL VPN client user uses PSK and a PKI client certificate to authenticate. The FortiGates must have the proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate.

Split tunneling is used so that only the destination addresses defined in the server's firewall policies are routed to the server, and all other traffic is connected directly to the internet.

Configure the SSL VPN server

To create a local user in the GUI:
  1. Go to User & Authentication > User Definition and click Create New.

  2. Use the wizard to create a local user named client2.

To create a PKI user in the GUI:
Note

The PKI menu is only available in the GUI after a PKI user has been created using the CLI, and a CN can only be configured in the CLI.

  1. Go to User & Authentication > PKI and click Create New.

  2. Set the Name to pki.

  3. Set CA to the CA certificate that is used to verify the client certificate.

  4. Click OK.

  5. In the CLI, specify the CN that must be matched. If no CN is specified, then any certificate that is signed by the CA will be valid and matched.

    config user peer
        edit "pki"
            set cn "*.fos.automation.com"
        next
    end
To create an SSL VPN portal in the GUI:
  1. Go to VPN > SSL-VPN Portals and click Create New.

  2. Set the Name to testportal2.

  3. Set Enable Split Tunneling to Enabled Based on Policy Destination.

  4. Set Source IP Pools to SSLVPN_TUNNEL_ADDR1.

  5. Click OK.

To configure SSL VPN settings in the GUI:
  1. Go to VPN > SSL-VPN Settings.

  2. Set Server Certificate to fgt_gui_automation.

  3. In the Authentication/Portal Mapping table click Create New:

    1. Set Users/Groups to client2.

    2. Set Portal to testportal2.

    3. Click OK.

  4. Click OK.

  5. In the CLI, enable SSL VPN client certificate restrictive and set the user peer to pki:

    config vpn ssl settings
        config authentication-rule
            edit 1
                set client-cert enable
                set user-peer "pki"
            next
        end
    end
To create a firewall address in the GUI:
  1. Go to Policy & Objects > Addresses and click Create New > Address.

  2. Set the Name to bing.com.

  3. Set Type to FQDN.

  4. Set FQDN to www.bing.com.

  5. Click OK.

To create a firewall policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the policy:

    Name

    sslvpn2

    Incoming Interface

    SSL-VPN tunnel interface (ssl.root)

    Outgoing Interface

    port1

    Source

    Address: all

    User: client2

    Destination

    bing.com: This FQDN resolves to 13.107.21.200 and 204.79.197.200. Traffic to these addresses is directed to the SSL VPN, while other traffic is routed to the remote devices' default adapters or interfaces.

    mantis

    Schedule

    always

    Service

    ALL

    Action

    Accept

  3. Click OK.

To configure the SSL VPN server (FGT-B) in the CLI:
  1. Create a local user:

    config user local
        edit "client2"
            set passwd **********
        next
    end
  2. Create a PKI user:
    config user peer
        edit "pki"
            set ca "CA_Cert_3"
            set cn "*.fos.automation.com"
        next
    end
  3. Create a new SSL VPN portal:

    config vpn ssl web portal
        edit "testportal2"
            set tunnel-mode enable
            set ipv6-tunnel-mode enable
            set ip-pools "SSLVPN_TUNNEL_ADDR1"
            set split-tunneling enable
            set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
            set ipv6-split-tunneling enable
            ....
        next
    end
  4. Configure SSL VPN settings, including the authentication rule for user mapping:

    config vpn ssl settings
        set ssl-min-proto-ver tls1-1
        set servercert "fgt_gui_automation"
        set auth-timeout 0
        set login-attempt-limit 10
        set login-timeout 180
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set dns-suffix "sslvpn.com"
        set port 1443
        set source-interface "port2"
        set source-address "all"
        set source-address6 "all"
        set default-portal "testportal1"
        config authentication-rule
            edit 1
                set users "client2"
                set portal "testportal2"
                set client-cert enable
                set user-peer "pki"
            next
        end
    end
  5. Create a firewall address and policy. The destination addresses used in the policy are routed to the SSL VPN server.

    config firewall address
        edit "bing.com"
            set type fqdn
            set fqdn "www.bing.com"
        next
    end
    config firewall policy
        edit 2
            set name "sslvpn2"
            set srcintf "ssl.root"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "mantis" "bing.com"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
            set users "client2"
        next
    end

Configure the SSL VPN client

To create a PKI user in the GUI:
Note

The PKI menu is only available in the GUI after a PKI user has been created using the CLI, and a CN can only be configured in the CLI.

  1. Go to User & Authentication > PKI and click Create New.

  2. Set the Name to fgt_gui_automation.

  3. Set CA to the CA certificate. The CA certificate allows the FortiGate to complete the certificate chain and verify the server 's certificate, and is assumed to already be installed on the FortiGate.

  4. Click OK.

  5. In the CLI, specify the CN of the certificate on the SSL VPN server:

    config user peer
        edit "fgt_gui_automation"
            set cn "*.fos.automation.com"
        next
    end
To create an SSL VPN client and virtual interface in the GUI:
  1. Go to VPN > SSL-VPN Clients and click Create New.

  2. Expand the Interface drop down and click Create to create a new virtual interface:

    1. Set the Name to sslclient_port1.

    2. Set Interface to port1.

    3. Under Administrative Access, select HTTPS and PING.

    4. Click OK.

  3. Configure the SSL VPN client:

    Name

    sslclientTo9

    Interface

    sslclient_port1

    Server

    172.16.200.9

    Port

    1443

    Username

    client2

    Pre-shared Key

    **********

    Client Certificate

    fgtb_gui_automation

    This is the local certificate that is used to identify this client, and is assumed to already be installed on the FortiGate. The SSL VPN server requires it for authentication.

    Peer

    fgt_gui_automation

    Administrative Distance

    Configure as needed.

    Priority

    Configure as needed.

    Status

    Enabled

  4. Click OK.

To create a firewall policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the policy:

    Name

    policy_to_sslvpn_tunnel

    Incoming Interface

    port2

    Outgoing Interface

    sslclient_port1

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    ALL

    Action

    Accept

  3. Click OK.

To configure the SSL VPN client (FGT-A) in the CLI:
  1. Create the PKI user. Use the CA that signed the certificate fgt_gui_automation, and the CN of that certificate on the SSL VPN server.

    config user peer
        edit "fgt_gui_automation"
            set ca "GUI_CA"
            set cn "*.fos.automation.com"
        next
    end
  2. Create the SSL interface that is used for the SSL VPN connection:

    config system interface
        edit "sslclient_port1"
            set vdom "vdom1"
            set allowaccess ping https
            set type ssl
            set role lan
            set snmp-index 46
            set interface "port1"
        next
    end
  3. Create the SSL VPN client to use the PKI user and the client certificate fgtb_gui_automation:

    config vpn ssl client
        edit "sslclientTo9"
            set interface "sslclient_port1"
            set user "client2"
            set psk 123456
            set peer "fgt_gui_automation"
            set server "172.16.200.9"
            set port 1443
            set certificate "fgtb_gui_automation"
        next
    end
  4. Create a firewall policy:

    config firewall policy
        edit 1
            set name "policy_to_sslvpn_tunnel"
            set srcintf "port2"
            set dstintf "sslclient_port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end

Verification

After the tunnel is established, the route to 13.107.21.200 and 204.79.197.200 on FGT-A connects through the SSL VPN virtual interface sslclient_port1.

To check the routing table details:
(vdom1) # get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 172.16.200.254, port1
C       10.0.1.0/24 is directly connected, link_11
C       10.1.100.0/24 is directly connected, port2
                      is directly connected, port2
C       10.212.134.200/32 is directly connected, sslclient_port1
S       13.107.21.200/32 [10/0] is directly connected, sslclient_port1
C       172.16.200.0/24 is directly connected, port1
S       192.168.100.126/32 [10/0] is directly connected, sslclient_port1
S       204.79.197.200/32 [10/0] is directly connected, sslclient_port1
To check the added routing for an IPv6 tunnel:
(vdom1) # get router info6 routing-table database
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, B - BGP
       > - selected route, * - FIB route, p - stale info
Timers: Uptime

S    *> ::/0 [10/0] via 2000:172:16:200::254, port1, 00:00:01, [1024/0]
     *>      [10/0] via ::, sslclient_port1, 00:00:01, [1024/0]
C    *> ::1/128 via ::, vdom1, 03:26:35
C    *> 2000:10:0:1::/64 via ::, link_11, 03:26:35
C    *> 2000:10:1:100::/64 via ::, port2, 03:26:35
C    *> 2000:172:16:200::/64 via ::, port1, 03:26:35
C    *> 2001:1::1:100/128 via ::, sslclient_port1, 00:00:01
C    *> fe80::/64 via ::, port2, 03:26:35
To check the connection in the GUI:
  1. On the SSL VPN server FortiGate (FGT-B), go to Dashboard > Network and expand the SSL-VPN widget.

  2. On the SSL VPN client FortiGate (FGT-A), go to VPN > SSL-VPN Clients to see the tunnel list.

FortiGate as SSL VPN Client

FortiGate as SSL VPN Client

The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type. When an SSL VPN client connection is established, the client dynamically adds a route to the subnets that are returned by the SSL VPN server. Policies can be defined to allow users that are behind the client to be tunneled through SSL VPN to destinations on the SSL VPN server.

FortiOS can be configured as an SSL VPN server that allows IP-level connectivity in tunnel mode, and can act as an SSL VPN client that uses the protocol used by the FortiOS SSL VPN server. This allows hub-and-spoke topologies to be configured with FortiGates as both the SSL VPN hub and spokes.

For an IP-level VPN between a device and a VPN server, this can be useful to avoid issues caused by intermediate devices, such as:

  • ESP packets being blocked.

  • UDP ports 500 or 4500 being blocked.

  • Fragments being dropped, causing IKE negotiation that uses large certificates to fail if the peer does not support IKE fragmentation.

If the client specified destination is all, a default route is effectively dynamically created on the SSL VPN client, and the new default route is added to the existing default route in the form of ECMP. Some examples how to configure routing are:

  • To make all traffic default to the SSL VPN server and still have a route to the server's listening interface, on the SSL VPN client set a lower distance for the default route that is learned from the server.

  • To include both default routes in the routing table, with the route learned from the SSL VPN server taking priority, on the SSL VPN client set a lower distance for the route learned from the server. If the distance is already zero, then increase the priority on the default route.

  • To avoid a default being learned on the SSL VPN client, on the SSL VPN server define a specific destination.

Example

In this example, the home FortiGate (FGT-A) is configured as an SSL VPN client, and the company FortiGate (FGT-B) is configured as an SSL VPN server. After FGT-A connects to FGT-B, the devices that are connected to FGT-A can access the resources behind FGT-B.

The SSL VPN server has a custom server certificate defined, and the SSL VPN client user uses PSK and a PKI client certificate to authenticate. The FortiGates must have the proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate.

Split tunneling is used so that only the destination addresses defined in the server's firewall policies are routed to the server, and all other traffic is connected directly to the internet.

Configure the SSL VPN server

To create a local user in the GUI:
  1. Go to User & Authentication > User Definition and click Create New.

  2. Use the wizard to create a local user named client2.

To create a PKI user in the GUI:
Note

The PKI menu is only available in the GUI after a PKI user has been created using the CLI, and a CN can only be configured in the CLI.

  1. Go to User & Authentication > PKI and click Create New.

  2. Set the Name to pki.

  3. Set CA to the CA certificate that is used to verify the client certificate.

  4. Click OK.

  5. In the CLI, specify the CN that must be matched. If no CN is specified, then any certificate that is signed by the CA will be valid and matched.

    config user peer
        edit "pki"
            set cn "*.fos.automation.com"
        next
    end
To create an SSL VPN portal in the GUI:
  1. Go to VPN > SSL-VPN Portals and click Create New.

  2. Set the Name to testportal2.

  3. Set Enable Split Tunneling to Enabled Based on Policy Destination.

  4. Set Source IP Pools to SSLVPN_TUNNEL_ADDR1.

  5. Click OK.

To configure SSL VPN settings in the GUI:
  1. Go to VPN > SSL-VPN Settings.

  2. Set Server Certificate to fgt_gui_automation.

  3. In the Authentication/Portal Mapping table click Create New:

    1. Set Users/Groups to client2.

    2. Set Portal to testportal2.

    3. Click OK.

  4. Click OK.

  5. In the CLI, enable SSL VPN client certificate restrictive and set the user peer to pki:

    config vpn ssl settings
        config authentication-rule
            edit 1
                set client-cert enable
                set user-peer "pki"
            next
        end
    end
To create a firewall address in the GUI:
  1. Go to Policy & Objects > Addresses and click Create New > Address.

  2. Set the Name to bing.com.

  3. Set Type to FQDN.

  4. Set FQDN to www.bing.com.

  5. Click OK.

To create a firewall policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the policy:

    Name

    sslvpn2

    Incoming Interface

    SSL-VPN tunnel interface (ssl.root)

    Outgoing Interface

    port1

    Source

    Address: all

    User: client2

    Destination

    bing.com: This FQDN resolves to 13.107.21.200 and 204.79.197.200. Traffic to these addresses is directed to the SSL VPN, while other traffic is routed to the remote devices' default adapters or interfaces.

    mantis

    Schedule

    always

    Service

    ALL

    Action

    Accept

  3. Click OK.

To configure the SSL VPN server (FGT-B) in the CLI:
  1. Create a local user:

    config user local
        edit "client2"
            set passwd **********
        next
    end
  2. Create a PKI user:
    config user peer
        edit "pki"
            set ca "CA_Cert_3"
            set cn "*.fos.automation.com"
        next
    end
  3. Create a new SSL VPN portal:

    config vpn ssl web portal
        edit "testportal2"
            set tunnel-mode enable
            set ipv6-tunnel-mode enable
            set ip-pools "SSLVPN_TUNNEL_ADDR1"
            set split-tunneling enable
            set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
            set ipv6-split-tunneling enable
            ....
        next
    end
  4. Configure SSL VPN settings, including the authentication rule for user mapping:

    config vpn ssl settings
        set ssl-min-proto-ver tls1-1
        set servercert "fgt_gui_automation"
        set auth-timeout 0
        set login-attempt-limit 10
        set login-timeout 180
        set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
        set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        set dns-suffix "sslvpn.com"
        set port 1443
        set source-interface "port2"
        set source-address "all"
        set source-address6 "all"
        set default-portal "testportal1"
        config authentication-rule
            edit 1
                set users "client2"
                set portal "testportal2"
                set client-cert enable
                set user-peer "pki"
            next
        end
    end
  5. Create a firewall address and policy. The destination addresses used in the policy are routed to the SSL VPN server.

    config firewall address
        edit "bing.com"
            set type fqdn
            set fqdn "www.bing.com"
        next
    end
    config firewall policy
        edit 2
            set name "sslvpn2"
            set srcintf "ssl.root"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "mantis" "bing.com"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
            set users "client2"
        next
    end

Configure the SSL VPN client

To create a PKI user in the GUI:
Note

The PKI menu is only available in the GUI after a PKI user has been created using the CLI, and a CN can only be configured in the CLI.

  1. Go to User & Authentication > PKI and click Create New.

  2. Set the Name to fgt_gui_automation.

  3. Set CA to the CA certificate. The CA certificate allows the FortiGate to complete the certificate chain and verify the server 's certificate, and is assumed to already be installed on the FortiGate.

  4. Click OK.

  5. In the CLI, specify the CN of the certificate on the SSL VPN server:

    config user peer
        edit "fgt_gui_automation"
            set cn "*.fos.automation.com"
        next
    end
To create an SSL VPN client and virtual interface in the GUI:
  1. Go to VPN > SSL-VPN Clients and click Create New.

  2. Expand the Interface drop down and click Create to create a new virtual interface:

    1. Set the Name to sslclient_port1.

    2. Set Interface to port1.

    3. Under Administrative Access, select HTTPS and PING.

    4. Click OK.

  3. Configure the SSL VPN client:

    Name

    sslclientTo9

    Interface

    sslclient_port1

    Server

    172.16.200.9

    Port

    1443

    Username

    client2

    Pre-shared Key

    **********

    Client Certificate

    fgtb_gui_automation

    This is the local certificate that is used to identify this client, and is assumed to already be installed on the FortiGate. The SSL VPN server requires it for authentication.

    Peer

    fgt_gui_automation

    Administrative Distance

    Configure as needed.

    Priority

    Configure as needed.

    Status

    Enabled

  4. Click OK.

To create a firewall policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the policy:

    Name

    policy_to_sslvpn_tunnel

    Incoming Interface

    port2

    Outgoing Interface

    sslclient_port1

    Source

    all

    Destination

    all

    Schedule

    always

    Service

    ALL

    Action

    Accept

  3. Click OK.

To configure the SSL VPN client (FGT-A) in the CLI:
  1. Create the PKI user. Use the CA that signed the certificate fgt_gui_automation, and the CN of that certificate on the SSL VPN server.

    config user peer
        edit "fgt_gui_automation"
            set ca "GUI_CA"
            set cn "*.fos.automation.com"
        next
    end
  2. Create the SSL interface that is used for the SSL VPN connection:

    config system interface
        edit "sslclient_port1"
            set vdom "vdom1"
            set allowaccess ping https
            set type ssl
            set role lan
            set snmp-index 46
            set interface "port1"
        next
    end
  3. Create the SSL VPN client to use the PKI user and the client certificate fgtb_gui_automation:

    config vpn ssl client
        edit "sslclientTo9"
            set interface "sslclient_port1"
            set user "client2"
            set psk 123456
            set peer "fgt_gui_automation"
            set server "172.16.200.9"
            set port 1443
            set certificate "fgtb_gui_automation"
        next
    end
  4. Create a firewall policy:

    config firewall policy
        edit 1
            set name "policy_to_sslvpn_tunnel"
            set srcintf "port2"
            set dstintf "sslclient_port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set nat enable
        next
    end

Verification

After the tunnel is established, the route to 13.107.21.200 and 204.79.197.200 on FGT-A connects through the SSL VPN virtual interface sslclient_port1.

To check the routing table details:
(vdom1) # get router info routing-table details
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 172.16.200.254, port1
C       10.0.1.0/24 is directly connected, link_11
C       10.1.100.0/24 is directly connected, port2
                      is directly connected, port2
C       10.212.134.200/32 is directly connected, sslclient_port1
S       13.107.21.200/32 [10/0] is directly connected, sslclient_port1
C       172.16.200.0/24 is directly connected, port1
S       192.168.100.126/32 [10/0] is directly connected, sslclient_port1
S       204.79.197.200/32 [10/0] is directly connected, sslclient_port1
To check the added routing for an IPv6 tunnel:
(vdom1) # get router info6 routing-table database
IPv6 Routing Table
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, B - BGP
       > - selected route, * - FIB route, p - stale info
Timers: Uptime

S    *> ::/0 [10/0] via 2000:172:16:200::254, port1, 00:00:01, [1024/0]
     *>      [10/0] via ::, sslclient_port1, 00:00:01, [1024/0]
C    *> ::1/128 via ::, vdom1, 03:26:35
C    *> 2000:10:0:1::/64 via ::, link_11, 03:26:35
C    *> 2000:10:1:100::/64 via ::, port2, 03:26:35
C    *> 2000:172:16:200::/64 via ::, port1, 03:26:35
C    *> 2001:1::1:100/128 via ::, sslclient_port1, 00:00:01
C    *> fe80::/64 via ::, port2, 03:26:35
To check the connection in the GUI:
  1. On the SSL VPN server FortiGate (FGT-B), go to Dashboard > Network and expand the SSL-VPN widget.

  2. On the SSL VPN client FortiGate (FGT-A), go to VPN > SSL-VPN Clients to see the tunnel list.