Fortigate SSL VPN

There are two modes of VPN that we can utilize, Tunnel and Split-Tunnel. In Tunnel mode, when your client connects to the VPN all traffic will go through the VPN. But in Split-Tunnel mode, traffic only destined for resources on the other end of the VPN will go through the tunnel and all other traffic will go through your local network as normal. Both modes will be covered in this tutorial so we can see the different results each provide.

Tunnel mode would normally be used if you want to secure all your traffic. A lot of free/paid VPN services use this mode and provide security and limited anonymity.

Split-Tunnel mode would be used if you needed to connect to a shared folder at work from home. When connecting, traffic from writing to and from that shared folder you needed would go through the tunnel and all other internet traffic would go through your local internet connection.

Need a Fortigate Firewall for learning? Buy one here - https://amzn.to/2Yl6tZ5

Here we are presented with 3 presets of tunnels and you need to decide what access type you want to give your users. Notice that the presets have either Web Mode, Tunnel Mode or both enabled. In this example, we will only use the full-access preset. You can go in and customize your portal to your preference.

Go into full-access and set the following:

Disable Split Tunneling
Source IP Pools will be the default VPN IP Pool SSLVPN_TUNNEL_ADDR1 and then OK

Here we can customize the port number the SSL VPN tunnel and Web interface will listen on. We will be using 4433 but you need to make sure that it does not interfere with any other port your Firewall is listening on.

Set the following:

Listen on Interface(s) should be your WAN interface, in my case Outside (wan1)
Listen on Port will be as mentioned 4433
Select Allow access from any hosts
Server Certificate can be left as default for now, i am using my own signed.
Select Automatically assign addresses
Set DNS Server to your preference, in my case i have internal DNS servers 192.168.0.24 and 192.168.0.13
Under Authentication/Portal Mapping lets edit All Other Users/Groups and set it to full-access

Here we will Create New and setup a new user as the following:

Local User and Next
Username and Password for me will be test and Next
Skip Contact Info for now, but in your organization you can set the user's email address or phone for SMS as desired, and Next
Select Enable User Account and select User Group then set it to SSLVPN_USERS (create if it does not exist) and Create

This is where we will be creating policies to allow users to access internal resources and internet access through the tunnel.

Create New and set the following:

Name: VPN to INTERNAL
Incoming Interface: SSL-VPN tunnel interface
Outgoing Interface: internal or whatever your local LAN is called
Source: SSLVPN_TUNNEL_ADDR1 and SSLVPN_USERS from the User tab
Destination Address: all
Schedule: always or if you want to have your users on a specific schedule, you can customize that here
Service: all or you can specify Protocols they are allowed to only use
Action: ACCEPT
Enable NAT
Service Profiles you can select any services you have available if you want to
Select Enable this policy and OK

Create New again and set the following:

Name: VPN to OUTSIDE
Incoming Interface: SSL-VPN tunnel interface
Outgoing Interface: Outside (wan1) or whatever your local WAN interface is
Source: all
Destination Address: all
Schedule: always or if you want to have your users on a specific schedule, you can customize that here
Service: all or you can specify Protocols they are allowed to only use
Action: ACCEPT
Enable NAT
Service Profiles you can select any services you have available if you want to
Select Enable this policy and OK

1. Navigate to the VPN Web Access page by going to https://1.1.1.1:4433/, of course use your own IP Address for the WAN. You should now be at the current login, notice its different from the Configuration Login page.

5. In Configure VPN lets select the SSL-VPN tab and configure our connection:

Connection Name: Give it a name!
Description: Pretty straight forward, describe your connection
Remote Gateway: Here we will enter our WAN IP Address or Domain Name
Customize Port: If you used a different port than 443, check Customize Port and enter the port you configured in SSL-VPN Settings Earlier
Authentication: Here its pretty straight forward but these settings can be customized when you edit or create an SSL-VPN Portal
Client Certificate: We will leave this unselected as we will not be using a Client Certificate
Do not Warn Invalid Server Certificate: Select this if you don't want to be reminded that you have a Self-Signed SSL Certificate
Apply and Close

1. Open a Command Prompt or Powershell window and execute:

ipconfig

Lets look for our Interface and look at the IP Configuration we were assigned. In my case, i received the following:

Ethernet adapter Ethernet 6:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::7dec:199a:5ea0:e72e%9
IPv4 Address. . . . . . . . . . . : 10.212.134.200
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 10.212.134.201

Notice how in Tunnel Mode we are given a Gateway Address.

2. Now lets execute:

route print

Looking at our routing table, we can see that our first Default Gateway is now the VPN Tunnel Gateway given the metric 1 (1 being highest priority or most preferred) and our local internet as alternative given metric 35. This means that all traffic will go through our VPN Tunnel's gateway first.

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination    Netmask     Gateway    Interface Metric
     0.0.0.0     0.0.0.0  192.168.212.1 192.168.212.38   35
     0.0.0.0     0.0.0.0 10.212.134.201 10.212.134.200   1

3. Lets execute a PING command on an internal resource. In my case, i will ping one of the DNS servers i have in my network:

PS C:\Users\Linuxman> ping 192.168.0.13

Pinging 192.168.0.13 with 32 bytes of data:
Reply from 192.168.0.13: bytes=32 time=57ms TTL=63
Reply from 192.168.0.13: bytes=32 time=54ms TTL=63
Reply from 192.168.0.13: bytes=32 time=56ms TTL=63
Reply from 192.168.0.13: bytes=32 time=68ms TTL=63

Ping statistics for 192.168.0.13:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 54ms, Maximum = 68ms, Average = 58ms

Here i am able to PING one of the DNS Servers successfully.

4. Lastly lets run a TRACEROUTE and see the path we take to get to our DNS Server:

PS C:\Users\Linuxman> tracert 192.168.0.13

Tracing route to 192.168.0.13 [192.168.0.13]
over a maximum of 30 hops:

1 64 ms 46 ms 53 ms DESKTOP-AAPJS7M [10.212.134.200]
2 50 ms 48 ms 74 ms 192.168.0.13 [192.168.0.13]

Trace complete.

Here we see that our packets travel through our VPN Address first and then to the DNS Server. If we were running this command locally, then the trace would look something like this:

PS C:\Users\linuxman> tracert 192.168.0.13

Tracing route to 192.168.0.13 [192.168.0.13]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.0.13 [192.168.0.13]

Trace complete.

1. To enable Split-Tunnel, go back into the SSL-VPN Portals > full-access and check "Enable Split Tunneling". But first we need to create an address object for the subnet we want to allow access to. Remember this settings for later.

2. Now we need to add a Routing Address. This address object will be the subnet of the network you want your SSL VPN Users to access. First we need to go into Policy & Objects > Addresses.

Click on Create New > Address
Name: Give the Address a distinguishable name. Ex. Internal
Type: Should be Subnet
Subnet/IP Range: Will be the subnet of the network you will give access to. Ex. 192.168.0.0/24
Click Ok

3. Before we can enable Split-Tunnel, we have to delete the VPN to WAN rule we created earlier in Policy & Objects > IPv4 Policy. We are not performing a full Tunnel so this rule is not needed.

4. Now that the VPN to WAN rule is gone, lets go back to the SSL-VPN Portals > full-access and just like in step 1, check Enable Split Tunneling.

Click on the +
Select the address object you created in step 2
Click Ok

1. Once you are connected to the VPN tunnel sucessfully. Open a Command Prompt or PowerShell window and run the following command.

ipconfig

Lets look for our Interface and look at the IP Configuration we were assigned. In my case, i received the following:

Notice how this time we do not get a default gateway for our tunnel interface.

2. Now lets execute:

route print

Looking at our routing table, we can see that our Default Gateway is our own network and our remote network as alternative given metric 1. This means that all traffic will go through our local network gateway and any traffic destined for our remote network will go through the VPN Tunnel.

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.212.1 192.168.212.38 25
192.168.0.0 255.255.255.0 10.212.134.201 10.212.134.200 1

3. Lets execute a PING command on an internal resource. In my case, i will ping one of the DNS servers i have in my network:

Here i am able to PING one of the DNS Servers successfully.

4. Lastly lets run a TRACEROUTE and see the path we take to get to our DNS Server:

Here we see that our packets travel through our VPN Address first and then to the DNS Server. If we were running this command locally, then the trace would look something like this:

PS C:\Users\linuxman> tracert 192.168.0.13

Tracing route to 192.168.0.13 [192.168.0.13]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.0.13 [192.168.0.13]

Trace complete.

Fortigate SSL VPN

Tunnel Mode

Configure VPN Tunnel

Configure VPN Client

Test Connectivity

Split-Tunnel Mode

Configure VPN Tunnel

Test Connectivity