Configuring SSL-VPN tunnel mode on Fortinet routers is relatively straightforward, and comprises of four main steps:
- Configuring the SSL-VPN settings
- Configuring a firewall policy
- Configuring a static route for the SSL-VPN range
This guide is applicable to FortiOS 4.0MR3 patch 5
Configuring the SSL-VPN settings
By default an SSL-VPN tunnel address range is automatically created under Firewall Objects – Address named SSLVPN_TUNNEL_ADDR1. In my case this is 10.0.0.1-10.0.0.10. I’ve changed this to 10.0.0.1-10.0.0.254 to utilize a full class C range.
Next go into VPN – SSL – Config and select the SSLVPN_TUNNEL_ADDR1 with the edit icon next to IP Pools, then go into the Portal section. Edit your existing portal. Select Add Widget and choose Tunnel Mode. Click the edit icon on the Tunnel mode window. Leave the IP Mode on Range and use the edit icon to select SSLVPN_TUNNEL_ADDR1. Leave split tunneling ticked in order to only tunnel traffic into the Fortigate that is behind the firewall. Click OK, then click Apply.
Configuring a firewall policy
Go into Policy – Policy and create a new policy. Use the following settings (assuming SSL VPN is to access a range on your LAN)
Source Interface/Zone sslvpn tunnel interface
Source Address SSLVPN_TUNNEL_ADDR1
Destination Interface LAN
Destination Address LAN-192.168.1.0/24 (Use your LAN address)
Enable NAT Ticked
Ensure you specify a destination address range, we ran into issues leaving this set to ANY when using split tunneling. You can choose to lock down this policy later to specific addresses or services you choose.
Configuring a static route for the SSL-VPN range
Go into Router – Static – Static Route. Create a new route with the following settings:
Destination IP/Mask: 10.0.0.0/24 (This is the class C range we specified for SSLVPN_TUNNEL_ADDR1)
Log into your SSL-VPN portal as normal and you should be prompted to install the Forticlient SSLVPN software. Once this has been done restart your browser and log back in to the SSLVPN portal. When you click Connect in the Tunnel Mode window you should get full connectivity into your LAN (in our case 192.168.1.0/24).