Migration from SSL VPN tunnel mode to IPsec VPN 7.6.3
|
This information is also available in the FortiOS 7.6 Administration Guide: |
Starting from FortiOS 7.6.3, the proprietary SSL VPN tunnel mode is replaced with standards-based IPsec VPN tunnel. Users will be able to configure IPsec to use TCP port 443 for communication. As a result all existing configurations related to SSL VPN tunnel mode, including associated firewall policies, are not upgraded from previous versions to FortiOS 7.6.3. To get a list of SSL VPN tunnel mode CLI commands that are not supported, see Appendix A: FortiOS CLI .
Therefore to ensure uninterrupted remote access, you must manually migrate your SSL VPN tunnel mode configuration to IPsec VPN before upgrading to FortiOS 7.6.3. If your current SSL VPN tunnel mode setup uses TCP port 443 for remote access, IPsec VPN also supports using TCP as its transport that allows IKE negotiation on TCP and encapsulates of ESP packets within TCP header. This configuration uses TCP port 443 by default and is ideal for environments where traditional IPsec traffic on UDP/500 and UDP/4500 is blocked or impeded by ISPs and carrier-grade NAT. Configuring TCP as transport is supported on FortiGate firmware version 7.4.2 and later. See Encapsulate ESP packets within TCP headers. FortiClient is also required to be configured to use TCP as transport and is supported in FortiClient version 7.4.1 and later. See IPsec VPN over TCP.
If you are using SSL VPN web mode, your existing configurations will persist after the upgrade. Thus, SSL VPN web mode remains functional and continues to operate under its new name Agentless VPN, see Agentless VPN 7.6.3 and Agentless VPN.
FortiGates set up as SSL VPN clients are no longer supported. All existing configurations related to SSL VPN clients, including firewall policies, are not upgraded from previous versions to FortiOS 7.6.3. To configure remote access using IPsec VPN, see FortiGate as dialup client.
This topic includes the following sections:
IPsec and SSL VPN comparison
IPsec VPN and SSL VPN tunnel mode each offer distinct advantages, depending on the use case. Some key benefits of IPsec VPN include:
-
Supports both UDP and TCP: IPsec VPN can be configured to work on UDP or TCP or Auto mode as its transport protocols. The Auto mode is a fallback mechanism that automatically switches to IKE negotiation from UDP to TCP if connection attempts using UDP are not successful.
-
Strong security: Uses robust encryption standards to protect data from cyber threats.
-
Efficient performance: Optimized bandwidth usage and low latency improve overall network performance.
-
Seamless integration: Works well with enterprise security policies and authentication mechanisms.
-
Advanced Networking Features: Supports split tunneling, split DNS, traffic shaping, and QoS for better traffic management.
-
Scalability: Suitable for large-scale enterprise deployments with both site-to-site IPsec VPNs and remote access options.
-
Interoperability: Compatible with a wide range of networking devices and operating systems.
-
End-to-End Encryption: Ensures data integrity and confidentiality throughout transmission.
-
Automatic Key Management: Uses protocols like IKEv1, IKEv2 for secure and automated key exchanges.
-
Multi-Factor Authentication (MFA) Support: Enhances security by integrating with strong authentication methods such as LDAP, Radius, SAML, and so on.
-
Resilience: Supports failover and redundancy for high availability and business continuity.
-
Traffic Segmentation: Enables policy-based routing and access controls to restrict and optimize traffic flow.
-
Compliance Readiness: Helps meet security standards and regulatory requirements like GDPR and HIPAA.
-
Device Identity Verification: Uses certificates or pre-shared keys for secure endpoint authentication.
-
Support for Mobile and Remote Users: Efficiently handles varying network conditions, including broadband and cellular connections.
For more details, see the Migration background section of the SSL VPN to IPsec VPN Migration guide.
Migration planning and design considerations
You are strongly advised to plan a detailed migration strategy to transition your SSL VPN tunnel mode configuration to IPsec VPN. Key considerations for a successful migration include:
-
Assessing current SSL VPN tunnel mode usage and identifying its key configurations on FortiGate.
-
Ensuring IPsec VPN compatibility with existing authentication methods, routing configurations, and network policies.
-
Testing the new IPsec VPN configuration before deploying it organization-wide.
-
Communicating the transition plan to users and providing necessary training on IPsec VPN usage.
For information about different design considerations when migrating from SSL VPN tunnel mode to IPsec VPN, see Design Considerations.
Migration steps for SSL VPN tunnel mode to IPsec VPN
Migrating from SSL VPN tunnel mode to IPsec VPN involves multiple steps, depending on factors such as the migration method (GUI or CLI), whether the FortiGate is managed by FortiManager, and the specific FortiOS version in use. Follow the steps below for a smooth transition:
-
Back up existing configuration.
Before making any changes, back up the current SSL VPN tunnel mode configuration to prevent data loss and facilitate rollback if needed. See Backing up and restoring configurations from the GUI.
-
Convert FortiGate and FortiClient configurations in their existing versions.
The SSL VPN tunnel mode configuration can be converted to IPsec VPN using either the GUI, CLI, or FortiConverter service.
-
Migrating FortiGate and FortiClient using GUI:
-
For FortiGate devices running FortiOS 7.4.4 and planned for an upgrade to FortiOS 7.6.3, migration to IPsec VPN is required before upgrading. For detailed steps, see the FortiOS 7.4 SSL VPN to IPsec VPN Migration guide.
-
For FortiGate devices running FortiOS 7.6.0, 7.6.1, or 7.6.2 and planned for an upgrade to FortiOS 7.6.3, migration to IPsec VPN is also required before upgrading. For detailed steps, see the FortiOS 7.6 SSL VPN to IPsec VPN Migration guide.
-
For FortiClient endpoint configuration migration, see FortiClient endpoint configuration migration.
-
-
Migrating FortiGate using CLI and FortiClient using XML configuration:
-
For CLI-based migration of FortiGate and XML-based configuration migration for FortiClient, see Examples.
-
-
Use the FortiConverter service to perform the conversion.
-
-
Enable IPsec VPN alongside SSL VPN during transition.
-
Apply the converted IPsec VPN configuration to the current FortiOS version, and configure the IPsec VPN profile in FortiClient EMS.
-
Deploy the IPsec VPN profile from FortiClient EMS to endpoints.
-
-
Verify IPsec VPN functionality.
Test the IPsec VPN connection between FortiClient and FortiGate to confirm successful migration and ensure reliable IPsec VPN connectivity.
-
Upgrade steps for FortiGate managed by FortiManager.
If FortiGate is managed by FortiManager, follow these steps to ensure compatibility and centralized management after completing the IPsec VPN migration on one of the FortiGate devices:
-
Upgrade FortiManager to version 7.6.3 before upgrading FortiOS to maintain compatibility.
-
Re-import the new FortiGate configuration to FortiManager 7.6.3 to ensure centralized management consistency.
-
Use FortiManager to upgrade FortiOS to version 7.6.3.
-
Re-validate the IPsec VPN configuration after upgrade to confirm full functionality.
-
-
Upgrade steps for standalone FortiGate.
For unmanaged or standalone FortiGate devices:
-
Upgrade the FortiGate to FortiOS 7.6.3 after completing the IPsec VPN migration. The unsupported SSL VPN tunnel mode configuration is automatically removed after upgrade. For a list of unsupported CLI commands, see Appendix A: FortiOS CLI .
-
After upgrade, re-validate the IPsec VPN configuration to ensure IPsec VPN’s functionality.
-
-
Enforce IPsec VPN and disable SSL VPN on FortiClient EMS.
After verifying that IPsec VPN is functioning correctly, update the FortiClient EMS VPN profile:
-
Remove SSL VPN tunnel mode configurations.
-
Enforce IPsec VPN usage across all managed endpoints to complete the transition.
-
Key components comparison
This section aims to help you understand how your existing SSL VPN tunnel CLI setup maps to an IPsec VPN CLI setup. By understanding these mappings, you can effectively convert your SSL VPN tunnel configuration to IPsec VPN while maintaining equivalent functionality and security.
Key configuration components of SSL VPN tunnel mode on FortiOS
SSL VPN configuration on FortiOS consists of several key elements, each defined by specific CLI settings. The following sections outline these components and their respective configuration commands:
|
SSL VPN configuration |
Configured under |
Function/Purpose |
CLI reference |
|---|---|---|---|
|
SSL VPN portal |
#config vpn ssl web portal |
Defines portal settings such as user access permissions, bookmarks, and tunnel mode and web mode configurations. |
For FortiOS 7.6.2, see config vpn ssl web portal. |
|
SSL VPN portal |
#config vpn ssl settings |
Specifies global SSL VPN settings, including listening ports, encryption methods, authentication parameters, and routing options. |
For FortiOS 7.6.2, see config vpn ssl settings. |
|
Firewall policies |
#config firewall policy |
Defines firewall policies that regulate SSL VPN traffic by specifying source/destination, allowed services, and security rules. The SSL-VPN tunnel interface (ssl.root) is used in the Incoming or Outgoing interface fields. |
For FortiOS 7.6.2, see config firewall policy. |
Key configuration components of IPsec VPN tunnel mode on FortiOS
IPsec VPN setup consists of multiple configuration elements, including Phase 1 and Phase 2 settings that establish and maintain the tunnel, as well as firewall policies that control traffic flow. Depending on your use cases, you can configure multiple SSL VPN web portals, each tailored to specific user groups or access requirements. For each SSL VPN web portal, you might also need one or more corresponding IPsec Phase 1 and Phase 2 tunnel configurations to support your current use cases.
Following is an overview of key configurations of IPsec VPN:
|
IPsec VPN configuration |
Configured under |
Function/Purpose |
CLI reference |
|---|---|---|---|
|
IPsec Phase 1 |
#config vpn ipsec phase1-interface |
Defines phase 1 settings for IPsec VPN tunnels, including authentication, encryption, and key exchange parameters. |
For FortiOS 7.6.2, see config vpn ipsec phase1-interface. |
|
IPsec Phase 2 |
#config vpn iphase phase2-interface |
Specifies phase 2 settings for IPsec VPN, including security proposals and traffic selectors. |
For FortiOS 7.6.2, see config vpn iphase phase2-interface. |
|
Firewall policies |
#config firewall policy |
Defines firewall policies that regulate IPsec VPN traffic by specifying source/destination, allowed services, and security rules. The IPsec VPN tunnel interface is used in the Incoming or Outgoing interface fields. |
For FortiOS 7.6.2, see config firewall policy. |
Examples
You can convert the SSL VPN tunnel mode settings to IPsec using CLI/XML on FortiGate and FortiClient EMS. Use the following examples to understand your current SSL VPN tunnel mode configuration and its equivalent IPsec VPN configuration after conversion. The XML configuration for SSL VPN tunnel mode to IPsec VPN remains same in both examples.
The configurations provided in these examples are for demonstration purposes only. Customers must evaluate their own environments and, with the help of these example configurations, develop an IPsec equivalent setup suitable for their transition. It is essential to test and validate the configurations before applying them to production environments.
Topology
Example 1
Corp1 uses the following SSL VPN tunnel mode configuration. This configuration enables remote users to securely connect to corporate network using SSL VPN tunnel mode configuration. It enforces full tunnel mode, meaning all user traffic is routed through the VPN tunnel without split tunneling. In addition, features such as auto-connect, keep alive, and save password are enabled.
The following network setup is in use:
-
WAN Interface (listening for SSL VPN connections on port 443): wan1
-
LAN Interface: port1
-
IP address assigned to VPN users: REMOTE-CLIENT-ADDRESS-RANGE
-
User group for user authentication: vpn-user-group
-
Address object for LAN: Local-LAN
-
Other features: auto-connect, keep alive, save password.
|
|
If your SSL VPN configuration assigns IP addresses to remote clients from multiple IP ranges, you can achieve similar behavior with IPsec VPN using mode config. IPsec mode config supports assigning client IP addresses from multiple IP ranges by referencing an address group that contains the desired IP range objects. During IKE negotiation, the FortiGate dynamically allocates an available IP address from the specified address group to the connecting IPsec client. |
CLI configuration for SSL VPN on FortiGate:
-
SSL VPN web portal:
config vpn ssl web portal edit "full-access" set tunnel-mode disable set web-mode disable next edit "my-full-tunnel-portal" set tunnel-mode enable set auto-connect enable set keep-alive enable set save-password enable set ip-pools "REMOTE-CLIENT-ADDRESS-RANGE" set split-tunneling disable next end -
SSL VPN settings:
config vpn ssl settings set banned-cipher SHA1 SHA256 SHA384 set servercert "SSL_CERTIFICATE" set tunnel-ip-pools "REMOTE-CLIENT-ADDRESS-RANGE" set port 443 set source-interface "wan1" set source-address "all set default-portal "full-access" config authentication-rule edit 1 set groups "vpn-user-group" set portal "my-full-tunnel-portal" next end end -
SSL VPN firewall policy:
config firewall policy edit 1 set name "SSL VPN to LAN" set srcintf "ssl.root" set dstintf "port1" set srcaddr "REMOTE-CLIENT-ADDRESS-RANGE" set dstaddr "Local-LAN" set schedule "always" set service "ALL" set groups "vpn-user-group" next edit 2 set name "SSL VPN to Internet" set srcintf "ssl.root" set dstintf "wan1" set srcaddr "REMOTE-CLIENT-ADDRESS-RANGE" set dstaddr "all" set schedule "always" set service "ALL" set groups "vpn-user-group" set nat enable next end
XML configuration for SSL VPN on FortiClient EMS
To view the XML configuration on FortiClient EMS for SSL VPN configuration, see the XML configuration for SSL VPN section in Appendix B: FortiClient XML.
CLI configuration for IPsec VPN on FortiGate
The following configuration provides an equivalent setup to the existing SSL VPN configuration, enabling a seamless migration to IPsec VPN while maintaining secure remote access.
Using set transport tcp for TCP mode ensures VPN traffic can pass through restrictive firewalls that block UDP traffic but allow TCP, such as port 443 (HTTPS). You can specify a custom port to avoid conflict with the management port on the FortiGate.
|
|
IPsec VPN can be configured to use either pre-shared key (PSK) or certificate-based authentication for peer identity authentication. This deployment example uses PSK for simplicity and ease of configuration. When using certificate-based authentication, administrators must configure a certificate authority (CA), issue certificates to all FortiClient endpoints, and ensure the FortiGate is properly configured to validate client certificates during IKE negotiation. For more information about certificate-based authentication, see Dialup IPsec VPN with certificate authentication. |
-
IPsec Phase 1 settings:
config vpn ipsec phase1-interface edit "my-full-tunnel" set type dynamic set interface "wan1" set ike-version 2 set peertype any set net-device disable set mode-cfg enable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set eap enable set eap-identity send-request set authusrgrp "vpn-user-group" set network-overlay enable set network-id 1 set transport tcp set assign-ip-from name set ipv4-name "REMOTE-CLIENT-ADDRESS-RANGE" set save-password enable set client-auto-negotiate enable set client-keep-alive enable set psksecret ****** next end
In IKE version 2, FortiGate utilizes Network ID as unique identifiers to distinguish between multiple dialup tunnels configured on the same WAN interface. During the IPsec negotiation process, FortiClient transmits its configured Network ID, which FortiGate matches against its defined Network IDs to identify the appropriate tunnel. The Network ID configured on FortiClient must align with the corresponding Network ID set on FortiGate to successfully establish an IPsec tunnel.
-
IPsec Phase 2 settings:
config vpn ipsec phase2-interface edit "my-full-tunnel" set phase1name "my-full-tunnel" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end -
Default port number when TCP is used as transport:
config system settings set ike-tcp-port 443 end -
IPsec VPN firewall policy:
config firewall policy edit 1 set name "IPsec VPN to LAN" set srcintf "my-full-tunnel" set dstintf "port1" set action accept set srcaddr "REMOTE-CLIENT-ADDRESS-RANGE" set dstaddr "Local-LAN" set schedule "always" set service "ALL" next edit 2 set name "IPsec VPN to WAN" set srcintf "my-full-tunnel" set dstintf "wan1" set action accept set srcaddr "REMOTE-CLIENT-ADDRESS-RANGE" set dstaddr "Local-LAN" set schedule "always" set service "ALL" set nat enable next end
XML configuration for IPsec VPN on FortiClient EMS
To view the XML configuration on FortiClient EMS for IPsec VPN configuration, see the XML configuration for IPsec VPN section in Appendix B: FortiClient XML.
Example 2
Corp2 uses the following SSL VPN tunnel mode configuration. The company has different types of users. Based on their specific requirements, users are assigned different SSL VPN portals, each offering distinct connectivity and security settings.
-
dhcpra: The dhcpra portal enforces full tunneling, ensuring that all internet traffic from VPN users is routed through the FortiGate firewall. VPN users obtain an IP address dynamically from an external DHCP server, with FortiGate acting as a DHCP relay agent to facilitate it. In addition, features such as auto-connect, keep alive and save password enabled.
-
split-dns: The split-dns portal is designed for users who need access to specific corporate networks while allowing direct internet access for non-corporate traffic. VPN users are assigned custom DNS servers for their DNS queries. Certain domains are routed to internal DNS servers using split DNS feature. In addition, features such as auto-connect, keep alive and save password enabled.
|
|
If your SSL VPN configuration assigns IP addresses to remote clients from multiple IP ranges, you can achieve similar behavior with IPsec VPN using mode config. IPsec mode config supports assigning client IP addresses from multiple IP ranges by referencing an address group that contains the desired IP range objects. During IKE negotiation, the FortiGate dynamically allocates an available IP address from the specified address group to the connecting IPsec client. |
CLI configuration for SSL VPN on FortiGate
-
SSL VPN web portal:
config vpn ssl web portal edit "full-access" set tunnel-mode disable set web-mode disable next edit "dhcpra" set tunnel-mode enable set ip-mode dhcp set client-auto-negotiate enable set keep-alive enable set save-password enable set split-tunneling disable set dhcp-ra-giaddr 10.1.1.1 next edit "split-dns" set tunnel-mode enable set client-auto-negotiate enable set keep-alive enable set save-password enable set dns-server1 10.10.10.8 set dns-server2 10.10.10.9 set split-tunneling enable config split-dns edit 1 set domains "domain1.com" set dns-server1 10.10.10.10 next end next end -
SSL VPN settings:
config vpn ssl settings set banned-cipher SHA1 SHA256 SHA384 set servercert "SSL_Certificate" set tunnel-ip-pools "REMOTE-CLIENT-ADDRESS-RANGE” set dns-server1 172.17.254.148 set dns-server2 172.17.254.151 set port 443 set source-interface "wan1" set source-address "all" set source-address6 "all" set default-portal "full-access" config authentication-rule edit 1 set group "group-dhcpra" set portal "dhcpra" next edit 2 set groups "group-split-dns" set portal "split-dns" next end end -
SSL VPN firewall policy:
config firewall policy edit 1 set name "SSL VPN to LAN" set srcintf "ssl.root" set dstintf "port1" set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set groups "group-dhcpra" "group-split-dns" next edit 2 set name "SSL-VPN to Internet" set srcintf "ssl.root" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set nat enable set groups "group-dhcpra" "group-split-dns" next end
XML configuration for SSL VPN on FortiClient EMS
To view the XML configuration on FortiClient EMS for SSL VPN configuration, see the XML configuration for SSL VPN section in Appendix B: FortiClient XML.
CLI configuration for IPsec VPN on FortiGate
Since IPsec VPN does not support portals, you may be required to configure separate IPsec VPN tunnels to accommodate the various use cases your current SSL VPN tunnel mode web portals support. Each IPsec VPN tunnel should be configured based on the specific security, authentication, and routing requirements of the associated SSL VPN portal.
Using set transport tcp for TCP mode ensures VPN traffic can pass through restrictive firewalls that block UDP traffic but allow TCP, such as port 443 (HTTPS). You can specify a custom port to avoid conflict with the management port on the FortiGate.
|
|
IPsec VPN can be configured to use either pre-shared key (PSK) or certificate-based authentication for peer identity authentication. This deployment example uses PSK for simplicity and ease of configuration. When using certificate-based authentication, administrators must configure a certificate authority (CA), issue certificates to all FortiClient endpoints, and ensure the FortiGate is properly configured to validate client certificates during IKE negotiation. For more information about certificate-based authentication, see Dialup IPsec VPN with certificate authentication. |
-
IPsec Phase 1 settings:
config vpn ipsec phase1-interface edit "dhcpra" set type dynamic set interface "wan1" set ike-version 2 set peertype any set net-device disable set mode-cfg enable set ipv4-dns-server1 172.17.254.148 set ipv4-dns-server2 172.17.254.151 set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set eap enable set eap-identity send-request set authusrgrp "group-dhcpra" set network-overlay enable set network-id 2 set transport tcp set psksecret ***** set save-password enable set client-auto-negotiate enable set client-keep-alive enable next edit "split-dns" set type dynamic set interface "wan1" set ike-version 2 set authmethod psk set peertype any set net-device disable set mode-cfg enable set ipv4-dns-server1 10.10.10.8 set ipv4-dns-server2 10.10.10.9 set ipv4-dns-server3 10.10.10.10 set internal-domain-list "domain1.com" set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set eap enable set eap-identity send-request set authusrgrp "group-split-dns" set network-overlay enable set network-id 3 set transport tcp set psksecret ***** set assign-ip-from name set ipv4-split-include "Local-LAN" set ipv4-name "REMOTE-CLIENT-ADDRESS-RANGE" set save-password enable set client-auto-negotiate enable set client-keep-alive enable next end
SSL VPN in tunnel mode supports the configuration of both split DNS and DNS suffix. For dialup IPsec tunnels, the availability of these features depends on the IKE version in use.
-
IKE version 1: Supports DNS suffix configuration but requires enabling unity-support in the Phase 1 configuration. See IPsec DNS suffix.
-
IKE version 2: Supports split DNS. See IPsec Split DNS.
When configuring your environment, consider reviewing the existing SSL VPN settings to determine the most suitable IKE version for your requirements.
In IKE version 2, FortiGate utilizes Network ID as unique identifier to distinguish between multiple dialup tunnels configured on the same WAN interface. During the IPsec negotiation process, FortiClient transmits its configured Network ID, which FortiGate matches against its defined Network IDs to identify the appropriate tunnel. The Network ID configured on FortiClient must align with the corresponding Network ID set on FortiGate to successfully establish an IPsec tunnel.
-
-
IPsec Phase 2 configuration:
config vpn ipsec phase2-interface edit "split-dns" set phase1name "split-dns" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next edit "dhcpra" set phase1name "dhcpra" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set dhcp-ipsec enable next end -
IPsec tunnel interface configuration for DHCP relay:
config system interface edit "dhcpra" set vdom "root" set dhcp-relay-service enable set type tunnel set snmp-index 9 set dhcp-relay-ip "10.1.1.1" set dhcp-relay-type ipsec set interface "wan1" next end -
Default port number when TCP is used as transport:
config system settings set ike-tcp-port 443 end -
Firewall policy configuration:
config firewall policy edit 1 set name "IPsec to LAN" set srcintf "split-dns" "dhcpra" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" next edit 2 set name "IPsec to Internet" set srcintf "split-dns" "dhcpra" set dstintf "wan1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set nat enable next end
|
|
The configured user group, |
XML configuration for IPsec VPN on FortiClient EMS
To view the XML configuration on FortiClient EMS for IPsec VPN configuration, see the XML configuration for IPsec VPN section in Appendix B: FortiClient XML.
Appendix A: FortiOS CLI
After upgrade to FortiOS 7.6.3, the following configuration commands for SSL VPN tunnel mode are no longer supported or configurable. These configurations will be lost once upgraded to FortiOS 7.6.3. Administrators should migrate their SSL VPN tunnel-related configuration to IPsec VPN accordingly to avoid remote access issues in FortiOS 7.6.3 or later.
-
SSL VPN settings:
The commands under
config vpn ssl settingsrelated to tunnel mode.config vpn ssl settings set dtls-hello-timeout set dtls-heartbeat-idle-timeout set dtls-heartbeat-interval set dtls-heartbeat-fail-count set tunnel-ip-pools set tunnel-ipv6-pools set dns-server1 set dns-server2 set wins-server1 set wins-server2 set ipv6-dns-server1 set ipv6-dns-server2 set ipv6-wins-server1 set ipv6-wins-server2 set dtls-tunnel set dtls-max-proto-ver set dtls-min-proto-ver set tunnel-connect-without-reauth set tunnel-user-session-timeout set tunnel-addr-assigned-method set ztna-trusted-client end -
SSL VPN web portal:
The following commands under
config vpn ssl web portalare no longer available:config vpn ssl web portal set tunnel-mode set ip-mode set auto-connect set keep-alive set save-password set ip-pools set split-tunneling set split-tunneling-routing-negate set split-tunneling-routing-address set dns-server1 set dns-server2 set wins-server1 set wins-server2 set ipv6-tunnel-mode set ipv6-pools set ipv6-split-tunneling set ipv6-split-tunneling-routing-negate set ipv6-split-tunneling-routing-address set ipv6-dns-server1 set ipv6-dns-server2 set ipv6-wins-server1 set ipv6-wins-server2 set client-src-range set host-check set mac-addr-check set os-check end -
Host check software configuration:
config vpn ssl web host-check-software end
-
Host check software configuration:
The system-wide option to enable or disable SN checks for SSL VPN tunnel connections is no longer configurable:
config system global set vpn-ems-sn-check end
After upgrade to FortiOS 7.6.3, the following configuration commands for SSL VPN Client are no longer supported or configurable. These configurations will be lost once upgraded to FortiOS 7.6.3. Administrators should migrate their SSL VPN client-related configuration to IPsec VPN accordingly to avoid remote access issues in FortiOS 7.6.3 or later.
-
SSL VPN Client configuration
config vpn ssl client end
-
All references to interfaces configured under
config system interfacewith their type set as SSL (that is,set type ssl), including:-
Interface definitions under
config system interface -
Link monitors referencing SSL interfaces
-
Zone configurations containing SSL interfaces
-
Firewall policies involving SSL interfaces
-
Appendix B: FortiClient XML
To understand the various XML settings available in FortiClient EMS for SSL VPN and IPsec configuration, refer to the XML Reference Guide version that matches your FortiClient EMS version. For example, for FortiClient EMS 7.4.2, refer the FortiClient 7.4.2 XML Reference Guide.
XML configuration for SSL VPN
The following XML configuration on FortiClient EMS demonstrates the SSL VPN settings used for Example 1 and Example 2:
|
|
The Network ID setting cannot be configured on unmanaged or standalone FortiClient. For managed FortiClient, configuration of the Network ID is supported through FortiClient EMS starting with versions 7.2.6 and later or 7.4.1 and later. Only FortiClient version 7.4.1 or later can be configured to use TCP as transport. See IPsec VPN over TCP. Ensure that both the EMS server and FortiClient endpoints are running compatible versions to apply and enforce this setting, see EMS compatibility chart. |
<forticlient_configuration> <vpn> <options> <on_os_start_connect_has_priority>0</on_os_start_connect_has_priority> <allow_personal_vpns>0</allow_personal_vpns> <on_os_start_connect/> <disable_connect_disconnect>0</disable_connect_disconnect> <keep_running_max_tries>0</keep_running_max_tries> <show_negotiation_wnd>0</show_negotiation_wnd> <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet> <autoconnect_on_install>0</autoconnect_on_install> <minimize_window_on_connect>1</minimize_window_on_connect> <secure_remote_access>0</secure_remote_access> <certs_require_keyspec>0</certs_require_keyspec> <autoconnect_tunnel>sslvpn</autoconnect_tunnel> <current_connection_type>ssl</current_connection_type> <use_windows_credentials>0</use_windows_credentials> <suppress_vpn_notification>0</suppress_vpn_notification> <show_vpn_before_logon>0</show_vpn_before_logon> <use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon> <current_connection_name>sslvpn</current_connection_name> <disable_internet_check>1</disable_internet_check> </options> <lockdown> <max_attempts>3</max_attempts> <grace_period>120</grace_period> <exceptions> <apps/> <ips/> <domains/> <icdb_domains/> </exceptions> <enabled>0</enabled> </lockdown> <ipsecvpn> <connections/> <options> <check_for_cert_private_key>0</check_for_cert_private_key> <usesmcardcert>1</usesmcardcert> <uselocalcert>0</uselocalcert> <no_dns_registration>0</no_dns_registration> <usewincert>1</usewincert> <use_win_current_user_cert>1</use_win_current_user_cert> <enable_udp_checksum>0</enable_udp_checksum> <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate> <disable_default_route>0</disable_default_route> <block_ipv6>1</block_ipv6> <beep_if_error>0</beep_if_error> <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory> <use_win_local_computer_cert>1</use_win_local_computer_cert> <show_auth_cert_only>0</show_auth_cert_only> <enabled>0</enabled> </options> </ipsecvpn> <enabled>1</enabled> <sslvpn> <connections> <connection> <name>sslvpn</name> <uid>434A9FE6-7CC5-48C2-83E9-F264B15F076C</uid> <machine>0</machine> <keep_running>0</keep_running> <username/> <password/> <certificate/> <pkcs11_lib/> <prompt_certificate>0</prompt_certificate> <prompt_username>1</prompt_username> <fgt>1</fgt> <disclaimer_msg/> <sso_enabled>0</sso_enabled> <keep_fqdn_resolution_consistency>0</keep_fqdn_resolution_consistency> <use_external_browser>0</use_external_browser> <azure_auto_login> <enabled>0</enabled> <azure_app> <tenant_name/> <client_id/> </azure_app> </azure_auto_login> <single_user_mode>0</single_user_mode> <ui> <show_remember_password>1</show_remember_password> <show_alwaysup>1</show_alwaysup> <show_autoconnect>1</show_autoconnect> <save_username>1</save_username> </ui> <warn_invalid_server_certificate>1</warn_invalid_server_certificate> <allow_standard_user_use_system_cert>0</allow_standard_user_use_system_cert> <redundant_sort_method>0</redundant_sort_method> <RedundantSortMethod>0</RedundantSortMethod> <tags> <allowed/> <prohibited/> </tags> <host_check_fail_warning/> <android_cert_path/> <android_cert_source>filesystem</android_cert_source> <no_vnic_dns_server>0</no_vnic_dns_server> <dual_stack>0</dual_stack> <server>192.0.2.1:443</server> <on_connect> <script> <os>windows</os> <script/> </script> <script> <os>MacOSX</os> <script/> </script> <script> <os>linux</os> <script/> </script> </on_connect> <on_disconnect> <script> <os>windows</os> <script/> </script> <script> <os>MacOSX</os> <script/> </script> <script> <os>linux</os> <script/> </script> </on_disconnect> <traffic_control> <enabled>0</enabled> <mode>1</mode> </traffic_control> </connection> </connections> <options> <preferred_dtls_tunnel>0</preferred_dtls_tunnel> <prefer_sslvpn_dns>1</prefer_sslvpn_dns> <negative_split_tunnel_metric/> <no_dns_registration>0</no_dns_registration> <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate> <dnscache_service_control>0</dnscache_service_control> <block_ipv6>1</block_ipv6> <use_gui_saml_auth>0</use_gui_saml_auth> <warn_invalid_server_certificate>1</warn_invalid_server_certificate> <show_auth_cert_only>0</show_auth_cert_only> <enabled>1</enabled> </options> </sslvpn> </vpn> <endpoint_control> <ui> <display_vpn>1</display_vpn> </ui> </endpoint_control> </forticlient_configuration>
XML configuration for IPsec VPN
The following XML configuration on FortiClient EMS demonstrates the VPN settings for Example 1 and Example 2. However, the value for the <networkid> XML tag will vary based on the network ID specified in the corresponding IPsec configuration.
<forticlient_configuration> <vpn> <options> <on_os_start_connect_has_priority>0</on_os_start_connect_has_priority> <allow_personal_vpns>0</allow_personal_vpns> <on_os_start_connect/> <disable_connect_disconnect>0</disable_connect_disconnect> <keep_running_max_tries>0</keep_running_max_tries> <show_negotiation_wnd>0</show_negotiation_wnd> <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet> <autoconnect_on_install>0</autoconnect_on_install> <minimize_window_on_connect>1</minimize_window_on_connect> <secure_remote_access>0</secure_remote_access> <certs_require_keyspec>0</certs_require_keyspec> <autoconnect_tunnel>ipsec</autoconnect_tunnel> <current_connection_type>ipsec</current_connection_type> <use_windows_credentials>0</use_windows_credentials> <suppress_vpn_notification>0</suppress_vpn_notification> <show_vpn_before_logon>0</show_vpn_before_logon> <use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon> <current_connection_name>ipsec</current_connection_name> <disable_internet_check>1</disable_internet_check> </options> <lockdown> <max_attempts>3</max_attempts> <grace_period>120</grace_period> <exceptions> <apps/> <ips/> <domains/> <icdb_domains/> </exceptions> <enabled>0</enabled> </lockdown> <ipsecvpn> <connections> <connection> <name>ipsec</name> <uid>A47A1B4A-01C4-4E19-9A21-3981067058B5</uid> <machine>0</machine> <keep_running>0</keep_running> <disclaimer_msg/> <single_user_mode>0</single_user_mode> <type>manual</type> <ui> <show_remember_password>1</show_remember_password> <show_alwaysup>1</show_alwaysup> <show_autoconnect>1</show_autoconnect> <show_passcode>0</show_passcode> <save_username>0</save_username> </ui> <redundant_sort_method>0</redundant_sort_method> <tags> <allowed/> <prohibited/> </tags> <host_check_fail_warning/> <ike_settings> <server>192.0.2.1</server> <authentication_method>Preshared Key</authentication_method> <transport_mode>1</transport_mode> <tcp_port>443</tcp_port> <udp_port>500</udp_port> <fgt>1</fgt> <prompt_certificate>1</prompt_certificate> <xauth> <use_otp>0</use_otp> <enabled>1</enabled> <prompt_username>1</prompt_username> </xauth> <version>2</version> <mode>aggressive</mode> <key_life>86400</key_life> <localid/> <implied_SPDO>0</implied_SPDO> <implied_SPDO_timeout>0</implied_SPDO_timeout> <nat_traversal>1</nat_traversal> <nat_alive_freq>5</nat_alive_freq> <enable_local_lan>0</enable_local_lan> <enable_ike_fragmentation>0</enable_ike_fragmentation> <mode_config>1</mode_config> <dpd>1</dpd> <run_fcauth_system>0</run_fcauth_system> <sso_enabled>0</sso_enabled> <ike_saml_port>443</ike_saml_port> <dpd_retry_count>3</dpd_retry_count> <dpd_retry_interval>5</dpd_retry_interval> <networkid>0</networkid> <auth_data> <preshared_key>Enc 4beb1e1c4306fadaaf3409c77e27861e20b21eb51dc331d082bf4c6c272404f0</preshared_key> </auth_data> <xauth_timeout>120</xauth_timeout> <dhgroup>5;15</dhgroup> <proposals> <proposal>AES128|SHA256</proposal> <proposal>AES256|SHA256</proposal> </proposals> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>0.0.0.0</addr> <mask>0.0.0.0</mask> </network> <network> <addr>::/0</addr> <mask>::/0</mask> </network> </remote_networks> <dhgroup>14</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>43200</key_life_seconds> <key_life_Kbytes>5200</key_life_Kbytes> <replay_detection>1</replay_detection> <pfs>1</pfs> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA256</proposal> </proposals> </ipsec_settings> <android_cert_path/> <warn_invalid_server_certificate>1</warn_invalid_server_certificate> <on_connect> <script> <os>windows</os> <script/> </script> <script> <os>MacOSX</os> <script/> </script> <script> <os>linux</os> <script/> </script> </on_connect> <on_disconnect> <script> <os>windows</os> <script/> </script> <script> <os>MacOSX</os> <script/> </script> <script> <os>linux</os> <script/> </script> </on_disconnect> <traffic_control> <enabled>0</enabled> <mode>1</mode> </traffic_control> </connection> </connections> <options> <check_for_cert_private_key>0</check_for_cert_private_key> <usesmcardcert>0</usesmcardcert> <uselocalcert>0</uselocalcert> <no_dns_registration>0</no_dns_registration> <usewincert>0</usewincert> <use_win_current_user_cert>1</use_win_current_user_cert> <enable_udp_checksum>0</enable_udp_checksum> <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate> <disable_default_route>0</disable_default_route> <block_ipv6>1</block_ipv6> <beep_if_error>0</beep_if_error> <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory> <use_win_local_computer_cert>1</use_win_local_computer_cert> <show_auth_cert_only>0</show_auth_cert_only> <enabled>1</enabled> </options> </ipsecvpn> <enabled>1</enabled> <sslvpn> <connections/> <options> <preferred_dtls_tunnel>0</preferred_dtls_tunnel> <prefer_sslvpn_dns>1</prefer_sslvpn_dns> <negative_split_tunnel_metric/> <no_dns_registration>0</no_dns_registration> <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate> <dnscache_service_control>0</dnscache_service_control> <block_ipv6>1</block_ipv6> <use_gui_saml_auth>0</use_gui_saml_auth> <warn_invalid_server_certificate>1</warn_invalid_server_certificate> <show_auth_cert_only>0</show_auth_cert_only> <enabled>0</enabled> </options> </sslvpn> </vpn> <endpoint_control> <ui> <display_vpn>1</display_vpn> </ui> </endpoint_control> </forticlient_configuration>