SSL VPN to IPsec VPN

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

In this recipe, you will configure a site-to-site IPsec VPN that allows access to the remote endpoint via SSL VPN. This involves a pre-existing user group, a tunnel-mode SSL VPN with split-tunneling, and a route-based IPsec VPN between two FortiGates.

In the example, all sessions need to start from the SSL VPN interface. If you want sessions to start from the FGT_2 subnet, you will need more policies. Furthermore, if the remote subnet is beyond FGT_2 (if you have to cross multiple hops), you will need to include the SSL VPN subnet in those routers as well.

PREP 20 mins      COOK 5 min      TOTAL 25 mins

1. Configuring the site-to-site IPsec VPN on FGT_1

Go to VPN > IPSec Wizard.

Name the VPN connection and select Site to Site.

Set IP Address to the Internet-facing interface.

Set the Authentication Method to Pre-shared Key and enter the pre-shared key.

Set Local Interface to the internal interface and set Local Subnets to include the internal and SSL VPN subnets for FGT_1.

Set Remote Subnets to include the internal subnet for FGT_2.

A summary page shows the configuration created by the wizard, including firewall address groups (for both local subnets as well as the remote subnet), static routes, and security policies.

2. Configuring SSL VPN settings

Go to VPN > SSL-VPN Settings and set Listen on Interface(s) to wan1.

To avoid port conflicts, set Listen on Port to 10443.

Set Restrict Access to Allow access from any host.

Under Tunnel Mode Client Settings, enable Specify custom IP ranges and include the SSL VPN subnet range created by the IPsec VPN wizard.

Under Authentication/Portal Mapping, add the VPN user group to the tunnel-access portal. Set All Other Users/Groups to the web-access portal.

3. Configuring the SSL VPN portal

Go to VPN > SSL-VPN Portals and edit the tunnel-access portal.

Turn on Enable Split Tunneling so that only traffic intended for the local or remote networks will flow through FGT_1 and be subject to the corporate security profiles.

Next to Routing Address, add the local and remote IPsec VPN subnets created by the IPsec VPN wizard.

Next to Source IP Pools, add the SSL VPN subnet range created by the IPsec VPN wizard.

4. Adding policies on FGT_1

Go to Policy & Objects > IPv4 Policy and create a new policy that allows SSL VPN users access to the internal network.

Set Incoming Interface to ssl.root and set Outgoing Interface to internal.

Set Source to the SSL VPN subnet created by the IPsec VPN wizard and add the VPN user group.

Set Destination to the local IPsec VPN subnet (which represents the internal subnet).

Set the Schedule and set Service to ALL.

Disable NAT.

Create another policy that allows SSL VPN users access to the IPsec VPN tunnel.

Set Incoming Interface to ssl.root and set Outgoing Interface to the IPsec tunnel interface (in this case, Site1).

Set Source to the SSL VPN subnet created by the IPsec VPN wizard and add the VPN user group.

Set Destination to the remote IPsec VPN subnet.

Set the Schedule and set Service to ALL.

Disable NAT.

5. Configuring the site-to-site IPsec VPN on FGT_2

Go to VPN > IPSec Wizard.

Name the VPN connection and select Site to Site.

Set IP Address to the Internet-facing interface.

Set the Authentication Method to Pre-shared Key and enter the pre-shared key that matches the FGT_1 configuration.

 

Set Local Interface to the internal interface and set Local Subnets to include the internal network subnet for FGT_2.

Set Remote Subnets to include the internal and SSL VPN subnets for FGT_1.

A summary page shows the configuration created by the wizard, including firewall address groups (for the local subnet as well as both remote subnets), static routes, and security policies.  

6. Results

Go to Monitor > IPsec Monitor, highlight the tunnel, and select Bring Up.
Verify that the tunnel Status changes to Up.
Configure the SSL VPN connection on the user’s FortiClient and connect to the tunnel.
Using Command Prompt/Terminal on the user’s computer, send a PING through the tunnel to the remote endpoint and confirm access.
Go to Monitor > Routing Monitor and verify the routes for the IPsec and SSL VPNs were added.
Go to Monitor > SSL-VPN Monitor and verify the user connectivity.
Go to Log & Report > VPN Events and view the IPsec and SSL tunnel statistics.
Go to FortiView > VPN and view VPN connection activity.
Right-click an entry and select Drill Down to Details for more information about a connection.

7. Debug

In order to diagnose potential issues, run the following debug commands on FGT_1 using the CLI Console:

diag debug reset
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug flow filter addr 192.168.177.99
diag debug flow filter proto 1
diag debug flow trace start 2
diag debug enable

Send a PING through the SSL VPN tunnel to 192.168.177.99 and analyze the output of the debug. Disable the debug output with the following command:

diag debug disable

If the traffic is entering the correct VPN tunnel on FGT_1, then run the same commands on FGT_2 to check whether the traffic is reaching the correct tunnel. If it is reaching the correct tunnel, confirm that the SSL VPN tunnel range is configured in the remote side quick mode selectors.

You can also run a sniffer command on FGT_1 as follows:

diag sniff packet any "host 192.168.177.99 and icmp" 4

If you suspect an IPsec VPN issue, run the following commands on either FortiGate:

diag debug reset
diag vpn ike gateway clear
diag debug application ike -1
diag debug enable

When you are satisfied with the debug output, disable the debug as follows:

diag debug disable

For more troubleshooting information for SSL VPN and IPsec VPN, refer to the following:

 

Fortinet Technical Documentation

Fortinet Technical Documentation

Contact Fortinet Technical Documentation at techdoc@fortinet.com.
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin
  • Was this helpful?
  • Yes   No
All times listed are approximations.
Do not use the default SSL VPN subnet.
In the example, the Fortinet_Factory certificate is used as the Server Certificate. It is, however, recommended that you purchase a certificate for your domain and upload it for use with an SSL VPN.
Do not use the default SSL VPN subnet.
Do not use the default SSL VPN subnet.
Although not normally needed, you can include the reverse policy (i.e., IPsec VPN to ssl.root on FGT_1).
Do not use the default SSL VPN subnet.
Alternatively, you can double-click an entry to drill down to details.