FortiGate as SSL VPN Client

The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type. When an SSL VPN client connection is established, the client dynamically adds a route to the subnets that are returned by the SSL VPN server. Policies can be defined to allow users that are behind the client to be tunneled through SSL VPN to destinations on the SSL VPN server.

FortiOS can be configured as an SSL VPN server that allows IP-level connectivity in tunnel mode, and can act as an SSL VPN client that uses the protocol used by the FortiOS SSL VPN server. This allows hub-and-spoke topologies to be configured with FortiGates as both the SSL VPN hub and spokes.

For an IP-level VPN between a device and a VPN server, this can be useful to avoid issues caused by intermediate devices, such as:

  • ESP packets being blocked.

  • UDP ports 500 or 4500 being blocked.

  • Fragments being dropped, causing IKE negotiation that uses large certificates to fail if the peer does not support IKE fragmentation.

If the client specified destination is all, a default route is effectively dynamically created on the SSL VPN client, and the new default route is added to the existing default route in the form of ECMP. Some examples how to configure routing are:

  • To make all traffic default to the SSL VPN server and still have a route to the server's listening interface, on the SSL VPN client set a lower distance for the default route that is learned from the server.

  • To include both default routes in the routing table, with the route learned from the SSL VPN server taking priority, on the SSL VPN client set a lower distance for the route learned from the server. If the distance is already zero, then increase the priority on the default route.

  • To avoid a default being learned on the SSL VPN client, on the SSL VPN server define a specific destination.

Example

In this example, the home FortiGate (FGT-A) is configured as an SSL VPN client, and the company FortiGate (FGT-B) is configured as an SSL VPN server. After FGT-A connects to FGT-B, the devices that are connected to FGT-A can access the resources behind FGT-B.

The SSL VPN server has a custom server certificate defined, and the SSL VPN client user uses PSK and a PKI client certificate to authenticate. The FortiGates must have the proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate.

Split tunneling is used so that only the destination addresses defined in the server's firewall policies are routed to the server, and all other traffic is connected directly to the internet.

Configure the SSL VPN server

To create a local user in the GUI:
  1. Go to User & Authentication > User Definition and click Create New.

  2. Use the wizard to create a local user named client2.

To create a PKI user in the GUI:
Note

The PKI menu is only available in the GUI after a PKI user has been created using the CLI, and a CN can only be configured in the CLI.

  1. Go to User & Authentication > PKI and click Create New.

  2. Set the Name to pki.

  3. Set CA to the CA certificate that is used to verify the client certificate.

  4. Click OK.

  5. In the CLI, specify the CN that must be matched. If no CN is specified, then any certificate that is signed by the CA will be valid and matched.

    config user peer
        edit "pki"
            set cn "*.fos.automation.com"
        next
    end
To create an SSL VPN portal in the GUI:
  1. Go to VPN > SSL-VPN Portals and click Create New.

  2. Set the Name to testportal2.

  3. Set Enable Split Tunneling to Enabled Based on Policy Destination.

  4. Set Source IP Pools to SSLVPN_TUNNEL_ADDR1.

  5. Click OK.

To configure SSL VPN settings in the GUI:
  1. Go to VPN > SSL-VPN Settings.

  2. Set Server Certificate to fgt_gui_automation.

  3. In the Authentication/Portal Mapping table click Create New:

    1. Set Users/Groups to client2.

    2. Set Portal to testportal2.

    3. Click OK.

  4. Click OK.

  5. In the CLI, enable SSL VPN client certificate restrictive and set the user peer to pki:

    config vpn ssl settings
        config authentication-rule
            edit 1
                set client-cert enable
                set user-peer "pki"
            next
        end
    end
To create a firewall address in the GUI:
  1. Go to Policy & Objects > Addresses and click Create New > Address.

  2. Set the Name to bing.com.

  3. Set Type to FQDN.

  4. Set FQDN to www.bing.com.

  5. Click OK.

To create a firewall policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the policy:

    Name

    sslvpn2

    Incoming Interface

    SSL-VPN tunnel interface (ssl.root)

    Outgoing Interface

    port1

    Source

    Address: all

    User: client2

    Destination

    bing.com: This FQDN resolves to 13.107.21.200 and 204.79.197.200. Traffic to these addresses is directed to the SSL VPN, while other traffic is routed to the remote devices' default adapters or interfaces.

    mantis

    Schedule

    always

    Service

    ALL

    Action

    Accept