Configuration Example SSL-VPN
Content
11/12/2015
Technical Note : Configuration example for SSL VPN gateway in tunnel mode for multiple customers
Technical Note : Configuration example for SSL VPN gateway in tunnel mode for multiple customers
Print Article
Products FortiGate
Purpose This article describes a solution where multiple customers require to have their own portal in tunnel mode to be able to access their internal resources.
Scope FortiGate SSL VPN
Diagram
Expectations, Requirements Customer1 and Customer2 need a customized SSL VPN portal allowing tunnel mode. They need to access the resources located behind their respective VDOMs. Spilttunneling is required. A perimeter VDOM (the default root VDOM) is used for the Internet connection and SSLVPN termination. Intervdom links will carry traffic from the perimeter VDOM to Customer VDOMs
Configuration root VDOM configuration framework : http://kb.fortinet.com/kb/viewContent.do?externalId=FD33950&sliceId=1
1/5
11/12/2015
Technical Note : Configuration example for SSL VPN gateway in tunnel mode for multiple customers
============================ - SSL VPN IPPool for each Customer - SSL VPN portals - Users and Users groups with assisgnement to respective SSL VPN portal - SSL VPN firewall policy (indentity based) - Firewall policies for traffic between root VDOM and Customer VDOMs via the inter-VDOM links - Static routes towards the virtual SSL VPN interface - Static routes towards the Customer's subnets Customers VDOM configuration framework : ================================= - Static routes towards the SSL VPN IPPools subnets - Firewall policies for traffic between root VDOM and Customer VDOM via the inter-VDOM links Customers VDOM configuration is not provided here since they contain standard routing and firewall policies settings. root VDOM configuration ==================== FGT (root) # show firewall address config firewall address edit "SSLVPN_TUNNEL_cust1" set subnet 10.20.20.0 255.255.255.240 next edit "SSLVPN_TUNNEL_cust2" set subnet 10.20.20.16 255.255.255.240 next edit "cust1-vlan" set subnet 172.10.1.0 255.255.255.0 next edit "cust2-vlan" set subnet 172.20.2.0 255.255.255.0 next end
FGT (root) # show vpn ssl settings config vpn ssl settings set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" "SSLVPN_TUNNEL_cust1" "SSLVPN_TUNNEL_cust2" end FGT (root) # show vpn ssl web portal Portal1 config vpn ssl web portal edit "Portal1" set heading "Welcome to SSL VPN Customer1" set page-layout double-column config widget edit 4 set name "Session Information" set type info next edit 1 set name "Bookmarks" set allow-apps web ftp smb telnet ssh vnc rdp citrix rdpnative portforward next edit 3 set name "Tunnel Mode" set type tunnel set tunnel-status enable set split-tunneling enable set ip-pools "SSLVPN_TUNNEL_cust1" next edit 2 set name "Connection Tool" set type tool set allow-apps web ftp smb telnet ssh vnc rdp ping citrix rdpnative portforward next end next end http://kb.fortinet.com/kb/viewContent.do?externalId=FD33950&sliceId=1
2/5
11/12/2015
Technical Note : Configuration example for SSL VPN gateway in tunnel mode for multiple customers
FGT (root) # show vpn ssl web portal Portal2 config vpn ssl web portal edit "Portal2" set heading "Welcome to SSL VPN Customer2" set page-layout double-column config widget edit 4 set name "Session Information" set type info next edit 3 set name "Tunnel Mode" set type tunnel set tunnel-status enable set split-tunneling enable set ip-pools "SSLVPN_TUNNEL_cust2" next end next end
FGT (root) # show user local config user local edit "customer1" set type password set passwd ENC Lm1RcvRBCJCDnnM1AX1zqnfr7tXMJFfrIZr18L6P+gHjLBjbuoGk/jmGZbggBEJnb3+S6XYUf5m7YfNnHQNenYI6itWcR5SLm098bqqO+DCBboXo next edit "customer2" set type password set passwd ENC QOAlC3B2fKsrp12v+SkT7CWyiJRUlJ7KRrhuVPNpxn3R3Hycx7M//91SRUAU98z9cxMTb78kUiw9aHOpIOnQtTgVPF9iYaPCMhDQA/NxoICCnZ5P next end FGT (root) # show user group config user group edit "portal1-users" set sslvpn-portal "Portal1" set member "customer1" next edit "portal2-users" set sslvpn-portal "Portal2" set member "customer2" next end FGT (root) # show router static config router static edit 5 set device "ssl.root" set dst 10.20.0.0 255.255.0.0 next edit 6 set device "VDL-Cust10" set dst 172.10.1.0 255.255.255.0 next edit 7 set device "VDL-Cust20" set dst 172.20.2.0 255.255.255.0 next end FGT (root) # show firewall policy config firewall policy edit 8 set srcintf "ssl.root" set dstintf "VDL-Cust10" set srcaddr "SSLVPN_TUNNEL_cust1" set dstaddr "cust1-vlan" set action accept http://kb.fortinet.com/kb/viewContent.do?externalId=FD33950&sliceId=1
3/5
11/12/2015
Technical Note : Configuration example for SSL VPN gateway in tunnel mode for multiple customers
set schedule "always" set service "ANY" next edit 9 set srcintf "ssl.root" set dstintf "VDL-Cust20" set srcaddr "SSLVPN_TUNNEL_cust2" set dstaddr "cust2-vlan" set action accept set schedule "always" set service "ANY" next edit 10 set srcintf "port1" set dstintf "VDL-Cust10" set srcaddr "all" set dstaddr "cust1-vlan" set action ssl-vpn set identity-based enable config identity-based-policy edit 1 set schedule "always" set groups "portal1-users" set service "ANY" next end next edit 11 set srcintf "port1" set dstintf "VDL-Cust20" set srcaddr "all" set dstaddr "cust2-vlan" set action ssl-vpn set identity-based enable config identity-based-policy edit 1 set schedule "always" set groups "portal2-users" set service "ANY" next end next end
Verification Customer1 accessing Portal1 : ===================== Windows IP Configuration PPP adapter fortissl: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 10.20.20.1 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.100.254 192.168.171.180 20 10.20.20.1 255.255.255.255 On-link 10.20.20.1 276 172.10.1.0 255.255.255.0 10.20.20.2 10.20.20.1 20 C:\Users\>ping 172.10.1.1 Pinging 172.10.1.1 with 32 bytes of data: Reply from 172.10.1.1: bytes=32 time=13ms TTL=254 http://kb.fortinet.com/kb/viewContent.do?externalId=FD33950&sliceId=1
4/5
11/12/2015
Technical Note : Configuration example for SSL VPN gateway in tunnel mode for multiple customers
Reply from 172.10.1.1: bytes=32 time=1ms TTL=254 Reply from 172.10.1.1: bytes=32 time=1ms TTL=254
Customer2 accessing Portal2 : ===================== Windows IP Configuration PPP adapter fortissl: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 10.20.20.17 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.100.254 192.168.171.180 20 10.20.20.17 255.255.255.255 On-link 10.20.20.17 276 172.20.2.0 255.255.255.0 10.20.20.18 10.20.20.17 20 C:\Users\>ping 172.20.2.1 Pinging 172.20.2.1 with 32 bytes of data: Reply from 172.20.2.1: bytes=32 time=1ms TTL=254 Reply from 172.20.2.1: bytes=32 time=1ms TTL=254 Reply from 172.20.2.1: bytes=32 time=1ms TTL=254 Last Modified Date: 01-24-2013 Document ID: FD33950
http://kb.fortinet.com/kb/viewContent.do?externalId=FD33950&sliceId=1
5/5
Technical Note : Configuration example for SSL VPN gateway in tunnel mode for multiple customers
Technical Note : Configuration example for SSL VPN gateway in tunnel mode for multiple customers
Print Article
Products FortiGate
Purpose This article describes a solution where multiple customers require to have their own portal in tunnel mode to be able to access their internal resources.
Scope FortiGate SSL VPN
Diagram
Expectations, Requirements Customer1 and Customer2 need a customized SSL VPN portal allowing tunnel mode. They need to access the resources located behind their respective VDOMs. Spilttunneling is required. A perimeter VDOM (the default root VDOM) is used for the Internet connection and SSLVPN termination. Intervdom links will carry traffic from the perimeter VDOM to Customer VDOMs
Configuration root VDOM configuration framework : http://kb.fortinet.com/kb/viewContent.do?externalId=FD33950&sliceId=1
1/5
11/12/2015
Technical Note : Configuration example for SSL VPN gateway in tunnel mode for multiple customers
============================ - SSL VPN IPPool for each Customer - SSL VPN portals - Users and Users groups with assisgnement to respective SSL VPN portal - SSL VPN firewall policy (indentity based) - Firewall policies for traffic between root VDOM and Customer VDOMs via the inter-VDOM links - Static routes towards the virtual SSL VPN interface - Static routes towards the Customer's subnets Customers VDOM configuration framework : ================================= - Static routes towards the SSL VPN IPPools subnets - Firewall policies for traffic between root VDOM and Customer VDOM via the inter-VDOM links Customers VDOM configuration is not provided here since they contain standard routing and firewall policies settings. root VDOM configuration ==================== FGT (root) # show firewall address config firewall address edit "SSLVPN_TUNNEL_cust1" set subnet 10.20.20.0 255.255.255.240 next edit "SSLVPN_TUNNEL_cust2" set subnet 10.20.20.16 255.255.255.240 next edit "cust1-vlan" set subnet 172.10.1.0 255.255.255.0 next edit "cust2-vlan" set subnet 172.20.2.0 255.255.255.0 next end
FGT (root) # show vpn ssl settings config vpn ssl settings set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" "SSLVPN_TUNNEL_cust1" "SSLVPN_TUNNEL_cust2" end FGT (root) # show vpn ssl web portal Portal1 config vpn ssl web portal edit "Portal1" set heading "Welcome to SSL VPN Customer1" set page-layout double-column config widget edit 4 set name "Session Information" set type info next edit 1 set name "Bookmarks" set allow-apps web ftp smb telnet ssh vnc rdp citrix rdpnative portforward next edit 3 set name "Tunnel Mode" set type tunnel set tunnel-status enable set split-tunneling enable set ip-pools "SSLVPN_TUNNEL_cust1" next edit 2 set name "Connection Tool" set type tool set allow-apps web ftp smb telnet ssh vnc rdp ping citrix rdpnative portforward next end next end http://kb.fortinet.com/kb/viewContent.do?externalId=FD33950&sliceId=1
2/5
11/12/2015
Technical Note : Configuration example for SSL VPN gateway in tunnel mode for multiple customers
FGT (root) # show vpn ssl web portal Portal2 config vpn ssl web portal edit "Portal2" set heading "Welcome to SSL VPN Customer2" set page-layout double-column config widget edit 4 set name "Session Information" set type info next edit 3 set name "Tunnel Mode" set type tunnel set tunnel-status enable set split-tunneling enable set ip-pools "SSLVPN_TUNNEL_cust2" next end next end
FGT (root) # show user local config user local edit "customer1" set type password set passwd ENC Lm1RcvRBCJCDnnM1AX1zqnfr7tXMJFfrIZr18L6P+gHjLBjbuoGk/jmGZbggBEJnb3+S6XYUf5m7YfNnHQNenYI6itWcR5SLm098bqqO+DCBboXo next edit "customer2" set type password set passwd ENC QOAlC3B2fKsrp12v+SkT7CWyiJRUlJ7KRrhuVPNpxn3R3Hycx7M//91SRUAU98z9cxMTb78kUiw9aHOpIOnQtTgVPF9iYaPCMhDQA/NxoICCnZ5P next end FGT (root) # show user group config user group edit "portal1-users" set sslvpn-portal "Portal1" set member "customer1" next edit "portal2-users" set sslvpn-portal "Portal2" set member "customer2" next end FGT (root) # show router static config router static edit 5 set device "ssl.root" set dst 10.20.0.0 255.255.0.0 next edit 6 set device "VDL-Cust10" set dst 172.10.1.0 255.255.255.0 next edit 7 set device "VDL-Cust20" set dst 172.20.2.0 255.255.255.0 next end FGT (root) # show firewall policy config firewall policy edit 8 set srcintf "ssl.root" set dstintf "VDL-Cust10" set srcaddr "SSLVPN_TUNNEL_cust1" set dstaddr "cust1-vlan" set action accept http://kb.fortinet.com/kb/viewContent.do?externalId=FD33950&sliceId=1
3/5
11/12/2015
Technical Note : Configuration example for SSL VPN gateway in tunnel mode for multiple customers
set schedule "always" set service "ANY" next edit 9 set srcintf "ssl.root" set dstintf "VDL-Cust20" set srcaddr "SSLVPN_TUNNEL_cust2" set dstaddr "cust2-vlan" set action accept set schedule "always" set service "ANY" next edit 10 set srcintf "port1" set dstintf "VDL-Cust10" set srcaddr "all" set dstaddr "cust1-vlan" set action ssl-vpn set identity-based enable config identity-based-policy edit 1 set schedule "always" set groups "portal1-users" set service "ANY" next end next edit 11 set srcintf "port1" set dstintf "VDL-Cust20" set srcaddr "all" set dstaddr "cust2-vlan" set action ssl-vpn set identity-based enable config identity-based-policy edit 1 set schedule "always" set groups "portal2-users" set service "ANY" next end next end
Verification Customer1 accessing Portal1 : ===================== Windows IP Configuration PPP adapter fortissl: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 10.20.20.1 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.100.254 192.168.171.180 20 10.20.20.1 255.255.255.255 On-link 10.20.20.1 276 172.10.1.0 255.255.255.0 10.20.20.2 10.20.20.1 20 C:\Users\>ping 172.10.1.1 Pinging 172.10.1.1 with 32 bytes of data: Reply from 172.10.1.1: bytes=32 time=13ms TTL=254 http://kb.fortinet.com/kb/viewContent.do?externalId=FD33950&sliceId=1
4/5
11/12/2015
Technical Note : Configuration example for SSL VPN gateway in tunnel mode for multiple customers
Reply from 172.10.1.1: bytes=32 time=1ms TTL=254 Reply from 172.10.1.1: bytes=32 time=1ms TTL=254
Customer2 accessing Portal2 : ===================== Windows IP Configuration PPP adapter fortissl: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 10.20.20.17 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.100.254 192.168.171.180 20 10.20.20.17 255.255.255.255 On-link 10.20.20.17 276 172.20.2.0 255.255.255.0 10.20.20.18 10.20.20.17 20 C:\Users\>ping 172.20.2.1 Pinging 172.20.2.1 with 32 bytes of data: Reply from 172.20.2.1: bytes=32 time=1ms TTL=254 Reply from 172.20.2.1: bytes=32 time=1ms TTL=254 Reply from 172.20.2.1: bytes=32 time=1ms TTL=254 Last Modified Date: 01-24-2013 Document ID: FD33950
http://kb.fortinet.com/kb/viewContent.do?externalId=FD33950&sliceId=1
5/5
