Configuring SSL-VPN tunnel mode on Fortinet routers

Configuring SSL-VPN tunnel mode on Fortinet routers is relatively straightforward, and comprises of four main steps:

  • Configuring the SSL-VPN settings
  • Configuring a firewall policy
  • Configuring a static route for the SSL-VPN range
  • Testing

This guide is applicable to FortiOS 4.0MR3 patch 5

Configuring the SSL-VPN settings

By default an SSL-VPN tunnel address range is automatically created under Firewall ObjectsAddress named SSLVPN_TUNNEL_ADDR1. In my case this is 10.0.0.1-10.0.0.10. I’ve changed this to 10.0.0.1-10.0.0.254 to utilize a full class C range.

Next go into VPNSSLConfig and select the SSLVPN_TUNNEL_ADDR1 with the edit icon next to IP Pools, then go into the Portal section. Edit your existing portal. Select Add Widget and choose Tunnel Mode. Click the edit icon on the Tunnel mode window. Leave the IP Mode on Range and use the edit icon to select SSLVPN_TUNNEL_ADDR1. Leave split tunneling ticked in order to only tunnel traffic into the Fortigate that is behind the firewall. Click OK, then click Apply.

Configuring a firewall policy

Go into PolicyPolicy and create a new policy. Use the following settings (assuming SSL VPN is to access a range on your LAN)

Source Interface/Zone sslvpn tunnel interface
Source Address SSLVPN_TUNNEL_ADDR1
Destination Interface LAN
Destination Address LAN-192.168.1.0/24 (Use your LAN address)
Service Any

Enable NAT Ticked

Ensure you specify a destination address range, we ran into issues leaving this set to ANY when using split tunneling. You can choose to lock down this policy later to specific addresses or services you choose.

Configuring a static route for the SSL-VPN range

Go into RouterStaticStatic Route. Create a new route with the following settings:

Destination IP/Mask: 10.0.0.0/24 (This is the class C range we specified for SSLVPN_TUNNEL_ADDR1)
Device ssl.root

Click OK.

Testing

Log into your SSL-VPN portal as normal and you should be prompted to install the Forticlient SSLVPN software. Once this has been done restart your browser and log back in to the SSLVPN portal. When you click Connect in the Tunnel Mode window you should get full connectivity into your LAN (in our case 192.168.1.0/24).

Like it? Share it! Print it!Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Print this page
Print

Leave a Reply