Fortigate SSL VPN

There are two modes of VPN that we can utilize, Tunnel and Split-Tunnel. In Tunnel mode, when your client connects to the VPN all traffic will go through the VPN. But in Split-Tunnel mode, traffic only destined for resources on the other end of the VPN will go through the tunnel and all other traffic will go through your local network as normal. Both modes will be covered in this tutorial so we can see the different results each provide.

Tunnel mode would normally be used if you want to secure all your traffic. A lot of free/paid VPN services use this mode and provide security and limited anonymity.

Split-Tunnel mode would be used if you needed to connect to a shared folder at work from home. When connecting, traffic from writing to and from that shared folder you needed would go through the tunnel and all other internet traffic would go through your local internet connection.

Need a Fortigate Firewall for learning? Buy one here - https://amzn.to/2Yl6tZ5

Tunnel Mode

Configure VPN Tunnel

1. Log into your Fortigate and navigate to VPN > SSL-VPN Portals.

Here we are presented with 3 presets of tunnels and you need to decide what access type you want to give your users. Notice that the presets have either Web Mode, Tunnel Mode or both enabled. In this example, we will only use the full-access preset. You can go in and customize your portal to your preference.

Go into full-access and set the following:

  • Disable Split Tunneling
  • Source IP Pools will be the default VPN IP Pool SSLVPN_TUNNEL_ADDR1 and then OK

2. Navigate to VPN > SSL-VPN Settings.

Here we can customize the port number the SSL VPN tunnel and Web interface will listen on. We will be using 4433 but you need to make sure that it does not interfere with any other port your Firewall is listening on.

Set the following:

  • Listen on Interface(s) should be your WAN interface, in my case Outside (wan1)
  • Listen on Port will be as mentioned 4433
  • Select Allow access from any hosts
  • Server Certificate can be left as default for now, i am using my own signed.
  • Select Automatically assign addresses
  • Set DNS Server to your preference, in my case i have internal DNS servers 192.168.0.24 and 192.168.0.13
  • Under Authentication/Portal Mapping lets edit All Other Users/Groups and set it to full-access

3. Navigate to User & Device > User Definition

Here we will Create New and setup a new user as the following:

  • Local User and Next
  • Username and Password for me will be test and Next
  • Skip Contact Info for now, but in your organization you can set the user's email address or phone for SMS as desired, and Next
  • Select Enable User Account and select User Group then set it to SSLVPN_USERS (create if it does not exist) and Create

Now that we have our user test created, we need to allow VPN users to access internal resources.

4. Navigate to Policy & Objects > IPv4 Policy

This is where we will be creating policies to allow users to access internal resources and internet access through the tunnel.

Create New and set the following:

  • Name: VPN to INTERNAL
  • Incoming Interface: SSL-VPN tunnel interface
  • Outgoing Interface: internal or whatever your local LAN is called
  • Source: SSLVPN_TUNNEL_ADDR1 and SSLVPN_USERS from the User tab
  • Destination Address: all
  • Schedule: always or if you want to have your users on a specific schedule, you can customize that here
  • Service: all or you can specify Protocols they are allowed to only use
  • Action: ACCEPT
  • Enable NAT
  • Service Profiles you can select any services you have available if you want to
  • Select Enable this policy and OK

Create New again and set the following:

  • Name: VPN to OUTSIDE
  • Incoming Interface: SSL-VPN tunnel interface
  • Outgoing Interface: Outside (wan1) or whatever your local WAN interface is
  • Source: all
  • Destination Address: all
  • Schedule: always or if you want to have your users on a specific schedule, you can customize that here
  • Service: all or you can specify Protocols they are allowed to only use
  • Action: ACCEPT
  • Enable NAT
  • Service Profiles you can select any services you have available if you want to
  • Select Enable this policy and OK

This should be the end result

Configure VPN Client

1. Navigate to the VPN Web Access page by going to https://1.1.1.1:4433/, of course use your own IP Address for the WAN. You should now be at the current login, notice its different from the Configuration Login page.

2. Log in as the user you created, in this case we will log in as test and should now be logged in to the VPN Portal.

3. In the portal, download and install the client for your OS and you can log out of the portal.

4. After Download, Install and Launch, lets navigate to Remote Access and Configure VPN.

5. In Configure VPN lets select the SSL-VPN tab and configure our connection:

  • Connection Name: Give it a name!
  • Description: Pretty straight forward, describe your connection
  • Remote Gateway: Here we will enter our WAN IP Address or Domain Name
  • Customize Port: If you used a different port than 443, check Customize Port and enter the port you configured in SSL-VPN Settings Earlier
  • Authentication: Here its pretty straight forward but these settings can be customized when you edit or create an SSL-VPN Portal
  • Client Certificate: We will leave this unselected as we will not be using a Client Certificate
  • Do not Warn Invalid Server Certificate: Select this if you don't want to be reminded that you have a Self-Signed SSL Certificate
  • Apply and Close

6. Now lets try to log in and if its successful you should see something like this. (Forticlient might minimize on successful connection)

Test Connectivity

We will inspect our IP Configuration under Tunnel Mode and then we need to test our connectivity to internal resources by seeing what we can ping.

1. Open a Command Prompt or Powershell window and execute:

ipconfig

Lets look for our Interface and look at the IP Configuration we were assigned. In my case, i received the following:

Ethernet adapter Ethernet 6:

  Connection-specific DNS Suffix . :
  Link-local IPv6 Address . . . . . : fe80::7dec:199a:5ea0:e72e%9
  IPv4 Address. . . . . . . . . . . : 10.212.134.200
  Subnet Mask . . . . . . . . . . . : 255.255.255.255
  Default Gateway . . . . . . . . . : 10.212.134.201

Notice how in Tunnel Mode we are given a Gateway Address.

2. Now lets execute:

route print

Looking at our routing table, we can see that our first Default Gateway is now the VPN Tunnel Gateway given the metric 1 (1 being highest priority or most preferred) and our local internet as alternative given metric 35. This means that all traffic will go through our VPN Tunnel's gateway first.

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination    Netmask     Gateway    Interface Metric
     0.0.0.0     0.0.0.0  192.168.212.1  192.168.212.38   35
     0.0.0.0     0.0.0.0  10.212.134.201  10.212.134.200   1

3. Lets execute a PING command on an internal resource. In my case, i will ping one of the DNS servers i have in my network:

PS C:\Users\Linuxman> ping 192.168.0.13

Pinging 192.168.0.13 with 32 bytes of data:
Reply from 192.168.0.13: bytes=32 time=57ms TTL=63
Reply from 192.168.0.13: bytes=32 time=54ms TTL=63
Reply from 192.168.0.13: bytes=32 time=56ms TTL=63
Reply from 192.168.0.13: bytes=32 time=68ms TTL=63

Ping statistics for 192.168.0.13:
  Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
  Minimum = 54ms, Maximum = 68ms, Average = 58ms

Here i am able to PING one of the DNS Servers successfully.

4. Lastly lets run a TRACEROUTE and see the path we take to get to our DNS Server:

PS C:\Users\Linuxman> tracert 192.168.0.13

Tracing route to 192.168.0.13 [192.168.0.13]
over a maximum of 30 hops:

 1  64 ms  46 ms  53 ms DESKTOP-AAPJS7M [10.212.134.200]
 2  50 ms  48 ms  74 ms 192.168.0.13 [192.168.0.13]

Trace complete.

Here we see that our packets travel through our VPN Address first and then to the DNS Server. If we were running this command locally, then the trace would look something like this:

PS C:\Users\linuxman> tracert 192.168.0.13

Tracing route to 192.168.0.13 [192.168.0.13]
over a maximum of 30 hops:

 1  <1 ms  <1 ms  <1 ms 192.168.0.13 [192.168.0.13]

Trace complete.

Split-Tunnel Mode

Configure VPN Tunnel 

1. To enable Split-Tunnel, go back into the SSL-VPN Portals > full-access and check "Enable Split Tunneling". But first we need to create an address object for the subnet we want to allow access to. Remember this settings for later.

2. Now we need to add a Routing Address. This address object will be the subnet of the network you want your SSL VPN Users to access. First we need to go into Policy & Objects > Addresses.

  1. Click on Create New > Address
  2. Name: Give the Address a distinguishable name. Ex. Internal
  3. Type: Should be Subnet
  4. Subnet/IP Range: Will be the subnet of the network you will give access to. Ex. 192.168.0.0/24
  5. Click Ok

3. Before we can enable Split-Tunnel, we have to delete the VPN to WAN rule we created earlier in Policy & Objects > IPv4 Policy. We are not performing a full Tunnel so this rule is not needed.

4. Now that the VPN to WAN rule is gone, lets go back to the SSL-VPN Portals > full-access and just like in step 1, check Enable Split Tunneling.

  1. Click on the + 
  2. Select the address object you created in step 2
  3. Click Ok

Test Connectivity

The setup is going to be the same for the client, so reference the Configure VPN Client section before continuing.

1. Once you are connected to the VPN tunnel sucessfully. Open a Command Prompt or PowerShell window and run the following command.

ipconfig

Lets look for our Interface and look at the IP Configuration we were assigned. In my case, i received the following:

Ethernet adapter Ethernet 6:

 Connection-specific DNS Suffix . :
 Link-local IPv6 Address . . . . . : fe80::7dec:199a:5ea0:e72e%9
 IPv4 Address. . . . . . . . . . . : 10.212.134.200
 Subnet Mask . . . . . . . . . . . : 255.255.255.255
 Default Gateway . . . . . . . . . : 

Notice how this time we do not get a default gateway for our tunnel interface.

2. Now lets execute:

route print

Looking at our routing table, we can see that our Default Gateway is our own network and our remote network as alternative given metric 1. This means that all traffic will go through our local network gateway and any traffic destined for our remote network will go through the VPN Tunnel.

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination    Netmask     Gateway    Interface Metric
     0.0.0.0       0.0.0.0   192.168.212.1  192.168.212.38   25
 192.168.0.0 255.255.255.0  10.212.134.201  10.212.134.200    1

3. Lets execute a PING command on an internal resource. In my case, i will ping one of the DNS servers i have in my network:

PS C:\Users\Linuxman> ping 192.168.0.13

Pinging 192.168.0.13 with 32 bytes of data:
Reply from 192.168.0.13: bytes=32 time=57ms TTL=63
Reply from 192.168.0.13: bytes=32 time=54ms TTL=63
Reply from 192.168.0.13: bytes=32 time=56ms TTL=63
Reply from 192.168.0.13: bytes=32 time=68ms TTL=63

Ping statistics for 192.168.0.13:
  Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
  Minimum = 54ms, Maximum = 68ms, Average = 58ms

Here i am able to PING one of the DNS Servers successfully.

4. Lastly lets run a TRACEROUTE and see the path we take to get to our DNS Server:

PS C:\Users\Linuxman> tracert 192.168.0.13

Tracing route to 192.168.0.13 [192.168.0.13]
over a maximum of 30 hops:

 1  64 ms  46 ms  53 ms DESKTOP-AAPJS7M [10.212.134.200]
 2  50 ms  48 ms  74 ms 192.168.0.13 [192.168.0.13]

Trace complete.

Here we see that our packets travel through our VPN Address first and then to the DNS Server. If we were running this command locally, then the trace would look something like this:

PS C:\Users\linuxman> tracert 192.168.0.13

Tracing route to 192.168.0.13 [192.168.0.13]
over a maximum of 30 hops:

 1  <1 ms  <1 ms  <1 ms 192.168.0.13 [192.168.0.13]

Trace complete.

The Ping and Traceroute are pretty much the same but the main difference to pay attention to is the lack of default gateway and the routes.

Need a Fortigate Firewall for learning? Buy one here - https://amzn.to/2Yl6tZ5