FortiGate as SSL VPN Client
The FortiGate can be configured as an SSL VPN client, using an SSL-VPN Tunnel interface type. When an SSL VPN client connection is established, the client dynamically adds a route to the subnets that are returned by the SSL VPN server. Policies can be defined to allow users that are behind the client to be tunneled through SSL VPN to destinations on the SSL VPN server.
FortiOS can be configured as an SSL VPN server that allows IP-level connectivity in tunnel mode, and can act as an SSL VPN client that uses the protocol used by the FortiOS SSL VPN server. This allows hub-and-spoke topologies to be configured with FortiGates as both the SSL VPN hub and spokes.
For an IP-level VPN between a device and a VPN server, this can be useful to avoid issues caused by intermediate devices, such as:
-
ESP packets being blocked.
-
UDP ports 500 or 4500 being blocked.
-
Fragments being dropped, causing IKE negotiation that uses large certificates to fail if the peer does not support IKE fragmentation.
If the client specified destination is all, a default route is effectively dynamically created on the SSL VPN client, and the new default route is added to the existing default route in the form of ECMP. Some examples how to configure routing are:
-
To make all traffic default to the SSL VPN server and still have a route to the server's listening interface, on the SSL VPN client set a lower distance for the default route that is learned from the server.
-
To include both default routes in the routing table, with the route learned from the SSL VPN server taking priority, on the SSL VPN client set a lower distance for the route learned from the server. If the distance is already zero, then increase the priority on the default route.
-
To avoid a default being learned on the SSL VPN client, on the SSL VPN server define a specific destination.
Example
In this example, the home FortiGate (FGT-A) is configured as an SSL VPN client, and the company FortiGate (FGT-B) is configured as an SSL VPN server. After FGT-A connects to FGT-B, the devices that are connected to FGT-A can access the resources behind FGT-B.
The SSL VPN server has a custom server certificate defined, and the SSL VPN client user uses PSK and a PKI client certificate to authenticate. The FortiGates must have the proper CA certificate installed to verify the certificate chain to the root CA that signed the certificate.
Split tunneling is used so that only the destination addresses defined in the server's firewall policies are routed to the server, and all other traffic is connected directly to the internet.
Configure the SSL VPN server
To create a local user in the GUI:
-
Go to User & Authentication > User Definition and click Create New.
-
Use the wizard to create a local user named client2.
To create a PKI user in the GUI:
The PKI menu is only available in the GUI after a PKI user has been created using the CLI, and a CN can only be configured in the CLI. |
-
Go to User & Authentication > PKI and click Create New.
-
Set the Name to pki.
-
Set CA to the CA certificate that is used to verify the client certificate.
-
Click OK.
-
In the CLI, specify the CN that must be matched. If no CN is specified, then any certificate that is signed by the CA will be valid and matched.
config user peer edit "pki" set cn "*.fos.automation.com" next end
To create an SSL VPN portal in the GUI:
-
Go to VPN > SSL-VPN Portals and click Create New.
-
Set the Name to testportal2.
-
Set Enable Split Tunneling to Enabled Based on Policy Destination.
-
Set Source IP Pools to SSLVPN_TUNNEL_ADDR1.
-
Click OK.
To configure SSL VPN settings in the GUI:
-
Go to VPN > SSL-VPN Settings and enable Enable SSL-VPN.
-
Set Listen on Interface(s) to port2.
-
Set Listen on Port to 1443.
-
Set Server Certificate to fgt_gui_automation.
-
In the Authentication/Portal Mapping table click Create New:
-
Set Users/Groups to client2.
-
Set Portal to testportal2.
-
Click OK.
-
-
Click OK.
-
In the CLI, enable SSL VPN client certificate restrictive and set the user peer to pki:
config vpn ssl settings config authentication-rule edit 1 set client-cert enable set user-peer "pki" next end end
To create a firewall address in the GUI:
-
Go to Policy & Objects > Addresses and click Create New > Address.
-
Set the Name to bing.com.
-
Set Type to FQDN.
-
Set FQDN to www.bing.com.
-
Click OK.
To create a firewall policy in the GUI:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Configure the policy:
Name
sslvpn2
Incoming Interface
SSL-VPN tunnel interface (ssl.root)
Outgoing Interface
port1
Source
Address: all
User: client2
Destination
bing.com: This FQDN resolves to 13.107.21.200 and 204.79.197.200. Traffic to these addresses is directed to the SSL VPN, while other traffic is routed to the remote devices' default adapters or interfaces.
mantis
Schedule
always
Service
ALL
Action
Accept
-
Click OK.
To configure the SSL VPN server (FGT-B) in the CLI:
-
Create a local user:
config user local edit "client2" set passwd ********** next end
- Create a PKI user:
config user peer edit "pki" set ca "CA_Cert_3" set cn "*.fos.automation.com" next end
-
Create a new SSL VPN portal:
config vpn ssl web portal edit "testportal2" set tunnel-mode enable set ipv6-tunnel-mode enable set ip-pools "SSLVPN_TUNNEL_ADDR1" set split-tunneling enable set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set ipv6-split-tunneling enable .... next end
-
Configure SSL VPN settings, including the authentication rule for user mapping:
config vpn ssl settings set ssl-min-proto-ver tls1-1 set servercert "fgt_gui_automation" set auth-timeout 0 set login-attempt-limit 10 set login-timeout 180 set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set dns-suffix "sslvpn.com" set port 1443 set source-interface "port2" set source-address "all" set source-address6 "all" set default-portal "testportal1" config authentication-rule edit 1 set users "client2" set portal "testportal2" set client-cert enable set user-peer "pki" next end end
-
Create a firewall address and policy. The destination addresses used in the policy are routed to the SSL VPN server.
config firewall address edit "bing.com" set type fqdn set fqdn "www.bing.com" next end
config firewall policy edit 2 set name "sslvpn2" set srcintf "ssl.root" set dstintf "port1" set srcaddr "all" set dstaddr "mantis" "bing.com" set action accept set schedule "always" set service "ALL" set nat enable set users "client2" next end
Configure the SSL VPN client
To create a PKI user in the GUI:
The PKI menu is only available in the GUI after a PKI user has been created using the CLI, and a CN can only be configured in the CLI. |
-
Go to User & Authentication > PKI and click Create New.
-
Set the Name to fgt_gui_automation.
-
Set CA to the CA certificate. The CA certificate allows the FortiGate to complete the certificate chain and verify the server 's certificate, and is assumed to already be installed on the FortiGate.
-
Click OK.
-
In the CLI, specify the CN of the certificate on the SSL VPN server:
config user peer edit "fgt_gui_automation" set cn "*.fos.automation.com" next end
To create an SSL VPN client and virtual interface in the GUI:
-
Go to VPN > SSL-VPN Clients and click Create New.
-
Expand the Interface drop down and click Create to create a new virtual interface:
-
Set the Name to sslclient_port1.
-
Set Interface to port1.
-
Under Administrative Access, select HTTPS and PING.
-
Click OK.
-
-
Configure the SSL VPN client:
Name
sslclientTo9
Interface
sslclient_port1
Server
172.16.200.9
Port
1443
Username
client2
Pre-shared Key
**********
Client Certificate
fgtb_gui_automation
This is the local certificate that is used to identify this client, and is assumed to already be installed on the FortiGate. The SSL VPN server requires it for authentication.
Peer
fgt_gui_automation
Administrative Distance
Configure as needed.
Priority
Configure as needed.
Status
Enabled
-
Click OK.
To create a firewall policy in the GUI:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Configure the policy:
Name
policy_to_sslvpn_tunnel
Incoming Interface
port2
Outgoing Interface
sslclient_port1
Source
all
Destination
all
Schedule
always
Service
ALL
Action
Accept
-
Click OK.
To configure the SSL VPN client (FGT-A) in the CLI:
-
Create the PKI user. Use the CA that signed the certificate fgt_gui_automation, and the CN of that certificate on the SSL VPN server.
config user peer edit "fgt_gui_automation" set ca "GUI_CA" set cn "*.fos.automation.com" next end
-
Create the SSL interface that is used for the SSL VPN connection:
config system interface edit "sslclient_port1" set vdom "vdom1" set allowaccess ping https set type ssl set role lan set snmp-index 46 set interface "port1" next end
-
Create the SSL VPN client to use the PKI user and the client certificate fgtb_gui_automation:
config vpn ssl client edit "sslclientTo9" set interface "sslclient_port1" set user "client2" set psk 123456 set peer "fgt_gui_automation" set server "172.16.200.9" set port 1443 set certificate "fgtb_gui_automation" next end
-
Create a firewall policy:
config firewall policy edit 1 set name "policy_to_sslvpn_tunnel" set srcintf "port2" set dstintf "sslclient_port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
Verification
After the tunnel is established, the route to 13.107.21.200 and 204.79.197.200 on FGT-A connects through the SSL VPN virtual interface sslclient_port1.
To check the routing table details:
(vdom1) # get router info routing-table details Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 172.16.200.254, port1 C 10.0.1.0/24 is directly connected, link_11 C 10.1.100.0/24 is directly connected, port2 is directly connected, port2 C 10.212.134.200/32 is directly connected, sslclient_port1 S 13.107.21.200/32 [10/0] is directly connected, sslclient_port1 C 172.16.200.0/24 is directly connected, port1 S 192.168.100.126/32 [10/0] is directly connected, sslclient_port1 S 204.79.197.200/32 [10/0] is directly connected, sslclient_port1
To check the added routing for an IPv6 tunnel:
(vdom1) # get router info6 routing-table database IPv6 Routing Table Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, B - BGP > - selected route, * - FIB route, p - stale info Timers: Uptime S *> ::/0 [10/0] via 2000:172:16:200::254, port1, 00:00:01, [1024/0] *> [10/0] via ::, sslclient_port1, 00:00:01, [1024/0] C *> ::1/128 via ::, vdom1, 03:26:35 C *> 2000:10:0:1::/64 via ::, link_11, 03:26:35 C *> 2000:10:1:100::/64 via ::, port2, 03:26:35 C *> 2000:172:16:200::/64 via ::, port1, 03:26:35 C *> 2001:1::1:100/128 via ::, sslclient_port1, 00:00:01 C *> fe80::/64 via ::, port2, 03:26:35
To check the connection in the GUI:
-
On the SSL VPN server FortiGate (FGT-B), go to Dashboard > Network and expand the SSL-VPN widget.
-
On the SSL VPN client FortiGate (FGT-A), go to VPN > SSL-VPN Clients to see the tunnel list.