Steps to configure Remote SSL VPN in FortiGate with CLI
Create a ssl.root interface for SSL VPN Tunnel
config system interface
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "Remote SSL VPN interface"
end
Create an IP Pool called SSLVPN_IP_POOL (10.212.134.200 – 10.212.134.210) to assign IP Addresses for Remote SSL VPN Users
config firewall address
edit "SSLVPN_IP_POOL"
set type iprange
set associated-interface "ssl.root"
set start-ip 10.212.134.200
set end-ip 10.212.134.210
end
Create an local user called sslvpn with password defined
config user local
edit "sslvpn"
set type password
set passwd P@ssw0rd
end
Create a group called SSLVPN_GROUP and assign sslvpn as member
config user group
edit "SSLVPN"
set member "sslvpn"
end
Enable Tunnel Mode and assign SSLVPN_IP_POOL in Full Access Profile
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set ip-pools "SSLVPN_IP_POOL"
end
Configure SSL VPN with the following
- SSL Certificate to be used – Default is using FortiGate Selfsign Certificate
- IP Addresses to be assigned to Remote SSL VPN Client
- SSL VPN Port No – Default is 443, and we had changed it to 12443
- Source Interface – External Interface
- Change the Default-Portal to full-access
- DNS Servers – Point to Internal AD/DNS Server for name resolution
config vpn ssl settings
set servercert "AventisLab.com"
set tunnel-ip-pools "SSLVPN_IP_POOL"
set port 12443
set source-interface "wan1"
set source-address "all"
set default-portal "full-access"
set dns-server1 192.168.1.200
set dns-server2 192.168.1.201
set dtls-tunnel enable
end
SSL VPN Settings in Web UI
Create the following firewall policy to allow traffics from SSLVPN to LAN and via visa
- SSLVPN-LAN – allow traffic from SSLVPN tunnel to LAN for SSLVPN_GROUP only
- LAN-SSLVPN – allow traffic from LAN to SSLVPN tunnel for SSLVPN_GROUP only
config firewall policy
edit 100
set name "SSLVPN-LAN"
set srcintf "ssl.root"
set dstintf "internal"
set srcaddr "all"
set dstaddr "192.168.1.0"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set groups "SSLVPN_GROUP"
next
edit 101
set name "LAN-SSLVPN"
set srcintf "internal"
set dstintf "ssl.root"
set srcaddr "192.168.1.0"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set groups "SSLVPN_GROUP"
end
Configure the FortiClient with the FQDN / IP Address of WAN Interface with custom port = 12443 with username = sslvpn
Login to SSL VPN successfully
Some useful commands to troubleshoot on Remote SSL VPN
Show Active SSL VPN users with execute vpn sslvpn list
FG60E # execute vpn sslvpn list
SSL VPN Login Users:
Index User Auth Type Timeout From HTTP in/out HTTPS in/out
0 sslvpn 1(1) 296 14.1.227.206 0/0 0/0
SSL VPN sessions:
Index User Source IP Duration I/O Bytes Tunnel/Dest IP
0 sslvpn 14.1.227.206 670 24470/35484 10.28.28.10
To disconnect SSL VPN User – Replace the with the correct ID
execute vpn sslvpn del-tunnel <index>
To disconnect all SSL VPN Users
execute vpn ssl del-all tunnel
