Remote Internet browsing using a VPN

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will use remote IPsec and SSL VPN tunnels to bypass Internet access restrictions.

Restricted Internet access is simulated with a Web Filter profile that blocks google.com. You will create FortiClient SSL and IPsec VPN tunnels to bypass the web filter, connect to a remote FortiGate unit, and transparently browse the Internet to google.com.

The recipe assumes that a “vpn_users user group and a Local LAN firewall address have already been created.

1. Starting point

In this example, we simulate restricted Internet access using a Web Filtering profile to block Google.

With the user situated behind this FortiGate, google.com cannot be accessed, and instead the FortiGuard “Web Page Blocked” message appears.

For the user to bypass this Web Filter, the following VPN configurations must be made on a remote FortiGate (which is not blocked by any filter), and the user must connect to it using FortiClient.

 

WebFilterBlocked

2. Configure the IPsec VPN

On the remote Fortigate, go to VPN > IPSec > Wizard.

Name the VPN connection and select Dial Up – FortiClient (Windows, Mac OS, Android) and click Next.

 

FGTVPNWizard1

Set the Incoming Interface to the internet-facing interface. In this case, wan1.

Select Pre-shared Key for the Authentication Method.

Enter a pre-shared key and select the vpn_users user group, then click Next.

 

Set Local Interface to the internal interface and set Local Address to the local LAN address.

Enter an IP range for VPN users in the Client Address Range field.

 FGTVPNWizard3

Click Next and select Client Options as desired.

FGTVPNWizard4

When using the IPsec VPN Wizard, an IPsec firewall address range is automatically created using the name of the tunnel you entered into the Wizard. The Wizard also creates an IPsec -> internal IPv4 policy, so all that is left is to create the Internet access policy. See Step 4.

3. Configure the SSL VPN

Go to VPN > SSL > Portals, highlight the full-access portal, and select Edit. FGTSSLPortal
Disable Split Tunneling so that all VPN traffic will go through the FortiGate firewall. FGTSSLPortalTunneling
Go to VPN > SSL > Settings. Under Connection Settings set Listen on Port to 10443. FGTSSL1
Under Authentication/Portal Mapping, assign the vpn_users user group to the full-access portal, and assign All Other Users/Groups to the desired portal. FGTSSL2
By default, the FortiGate has an ssl.root firewall address. All that is left is to create the Internet access policy, as described in the following step.

4. Create security policies for VPN access to the Internet

Go to Policy & Objects > Policy > IPv4.

Create two security policies allowing remote users to access the Internet securely through the FortiGate unit; one for each VPN tunnel.

Set Incoming Interface to the tunnel interface and set Source Address to all.

For SSL VPN, set Source User(s) to the vpn_users user group.

Set Outgoing Interface to wan1 and Destination Address to all.

Set Service to ALL and ensure that you enable NAT.

 

FGTVPNtoWan1Policy

 

FGTSSLInternetPolicy 

5. Configure FortiClient for IPsec and SSL VPN

Open FortiClient, go to Remote Access and add new connections for both VPNs.

FClientIPsec0

Provide a Connection Name and set the Type to either IPsec VPN or SSL VPN depending on the VPN configuration.

Set Remote Gateway to the FortiGate IP address.

  • For IPsec VPN, set Authentication Method to Pre-Shared Key and enter the key below.
  • For SSL VPN, set Customize Port to 10443.

(Optional) For Username, enter a username from the vpn_users user group.

 FClientIPsec1

Select the new connection, enter the username and password, and click Connect.

FClientIPsec3

 

If prompted with a server authentication warning, select Yes.

FClientSSL3

6. Results

From FortiClient start an IPsec or SSL VPN session. Once the connection is established, the FortiGate assigns the user an IP address and FortiClient displays the status of the connection, including the IP address, connection duration, and bytes sent and received.

FClientIPsec2

With the tunnel up, you can now visit google.com without being blocked, since the Internet traffic is handled by the remote FortiGate and the web filter on the local FortiGate has been bypassed.

WebFilterBypassed

For further reading, check out IPsec VPN in the web-based manager in the FortiOS 5.2 Handbook.

Keith Leroux

Keith Leroux

Technical Writer at Fortinet
Keith Leroux is a writer on the FortiOS 'techdocs' team in Ottawa, Ontario. He obtained a Bachelor's degree from Queen's University in English Language and Literature, and a graduate certificate in Technical Writing from Algonquin College. He spent a year teaching ESL in South Korea. Annyeong!
Keith Leroux
  • Was this helpful?
  • Yes   No
The tunnel name must not have any spaces in it.
The pre-shared key is a credential for the VPN and should differ from the user’s password.

The IP range you enter here prompts FortiOS to create a new firewall object for the VPN tunnel using the name of your tunnel followed by the _range suffix (in this case, ipsecvpn_range).

In addition, FortiOS automatically creates a security policy to allow remote users to access the internal network.

  • Thomas

    Anyone know why the IPsec haven’t set ‘source user’ in IPv4 Policy? (SSL vpn have set this option).

    • Keith Leroux

      Hello Thomas,

      I believe this is because you can have multiple IPsec interfaces (created by the wizard), whereas SSL VPN uses ssl.root. You *can* set a Source User/Group for the IPsec IPv4 policy, but it is not necessary. I believe it *is* necessary for the SSL VPN policy.