SSL VPN with LDAP-integrated certificate authentication

This topic provides a sample configuration of SSL VPN that requires users to authenticate using a certificate with LDAP UserPrincipalName checking.

This sample uses Windows 2012R2 Active Directory acting as both the user certificate issuer, the certificate authority, and the LDAP server.

Sample network topology

Sample configuration

In this sample, the UserPrincipal Name is included in the subject name of the issued certificate. This is the user field we use to search LDAP in the connection attempt.

To use the user certificate, you must first install it on the user’s PC. When the user tries to authenticate, the user certificate is checked against the CA certificate to verify that they match.

Every user should have a unique user certificate. This allows you to distinguish each user and revoke a specific user’s certificate, such as if a user no longer has VPN access.

To install the server certificate:

The server certificate is used for encrypting SSL VPN traffic and will be used for authentication.

1. Go to System > Feature Visibility and ensure Certificates is enabled.
2. Go to System > Certificates and select Import > Local Certificate.

l Set Type to Certificate. l Choose the Certificate file and the Key file for your certificate, and enter the Password. l If desired, you can change the Certificate Name.

The server certificate now appears in the list of Certificates.

To install the CA certificate:

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.

1. Go to System > Certificates and select Import > CA Certificate.
2. Select Local PC and then select the certificate file.

The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address.

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

Port1 interface connects to the internal network.

1. Go to Network > Interface and edit the wan1
2. Set IP/Network Mask to 20.120.123/255.255.255.0.
3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.

2. Configure the LDAP server.
   1. Go to User& Device > LDAP Servers > Create New. l Specify Name and ServerIP/Name.

l Set Distinguished Name to dc=fortinet-fsso,dc=com. l Set Bind Type to Regular. l Set Username to cn=admin,ou=testing,dc=fortinet-fsso,dc=com. l Set password.

3. Configure PKI users and a user group.

To use certificate authentication, PKI users must be created in the CLI. Use the CLI console to enter the following commands:

config user peer

edit user1

set ca CA_Cert_1 set ldap-server “ldap-AD” set ldap-mode principal-name

end

Now that you have created a PKI user, a new menu is added to the GUI. a. Go to User& Device > PKI to see the new user.

1. Go to User& Device > User> UserGroups and create a group sslvpn-group.
2. Add the PKI peer object you created as a local member of the group.
3. Add a remote group on the LDAP server and select the group of interest. You need these users to be members using the LDAP browser window.

4. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

5. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Enable Require Client Certificate.
   6. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   7. Create new Authentication/Portal Mapping for group sslvpn-group mapping portal full-access.
6. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to sslvpn-group.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Configure the LDAP server.

config user ldap edit “ldap-AD” set server “172.18.60.206” set cnid “cn”

set dn “dc=fortinet-fsso,dc=com”

set type regular

set username “cn=admin,ou=testing,dc=fortinet-fsso,dc=com” set password ldap-server-password

next

end

3. Configure PKI users and a user group.

config user peer

edit user1

set ca CA_Cert_1 set ldap-server “ldap-AD” set ldap-mode principal-name

end

config user group edit “sslvpn-group” set member “ldap-AD” “test3” config match edit 1 set server-name “ldap-AD”

set group-name “CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM”

next end

next

end

4. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

5. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” set reqclientcert enable config authentication-rule edit 1 set groups “sslvpn-group” set portal “full-access”

next

end

6. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access” set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpn-group” set action accept set schedule “always” set service “ALL” set nat enable

next

end

To see the results of tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.
   • Set the connection name.
   • Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
4. Select Customize Port and set it to 10443.
5. Enable Client Certificate and select the authentication certificate.
6. Save your settings.

Connecting to the VPN only requires the user’s certificate. It does not require username or password.

To see the results of web portal:

1. In a web browser, log into the portal http://172.20.120.123:10443.

A message requests a certificate for authentication.

2. Select the user certificate.

You can connect to the SSL VPN web portal.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
2. Go to Log & Report > VPN Events to view the details of the SSL VPN connection event log.
3. Go to Log & Report > Forward Traffic to view the details of the SSL VPN traffic.

To check the SSL VPN connection using the CLI:

Below is a sample output of diag debug app fnbamd -1 while the user connects. This is a shortened output sample of a few locations to show the important parts. This sample shows lookups to find the group memberships (three groups total) of the user and that the correct group being found results in a match.

[1148] fnbamd_ldap_recv-Response len: 16, svr: 172.18.60.206

[829] fnbamd_ldap_parse_response-Got one MESSAGE. ID:4, type:search-result

[864] fnbamd_ldap_parse_response-ret=0

[1386] __fnbamd_ldap_primary_grp_next-Auth accepted

[910] __ldap_rxtx-Change state to ‘Done’

[843] __ldap_rxtx-state 23(Done)

[925] fnbamd_ldap_send-sending 7 bytes to 172.18.60.206

[937] fnbamd_ldap_send-Request is sent. ID 5

[753] __ldap_stop-svr ‘ldap-AD’

[53] ldap_dn_list_del_all-Del CN=test3,OU=Testing,DC=Fortinet-FSSO,DC=COM

[399] ldap_copy_grp_list-copied CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM

[399] ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=Fortinet-FSSO,DC=COM

[2088] fnbamd_auth_cert_check-Matching group ‘sslvpn-group’

[2007] __match_ldap_group-Matching server ‘ldap-AD’ – ‘ldap-AD’

[2015] __match_ldap_group-Matching group ‘CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM’ ‘CN=group3,OU=Testing,DC=Fortinet-FSSO,DC=COM’

[2091] fnbamd_auth_cert_check-Group ‘sslvpn-group’ matched

[2120] fnbamd_auth_cert_result-Result for ldap svr[0] ‘ldap-AD’ is SUCCESS

[2126] fnbamd_auth_cert_result-matched user ‘test3’, matched group ‘sslvpn-group’

You can also use diag firewall auth list to validate that a firewall user entry exists for the SSL VPN user and is part of the right groups.

SSL VPN with certificate authentication

This topic provides a sample configuration of SSL VPN that requires users to authenticate using a certificate.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address.

Port1 interface connects to the internal network.

1. Go to Network > Interface and edit the wan1
2. Set IP/Network Mask to 20.120.123/255.255.255.0.
3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
6. Install the server certificate.

The server certificate is used for encrypting SSL VPN traffic and will be used for authentication. a. Go to System > Feature Visibility and ensure Certificates is enabled.

1. Go to System > Certificates and select Import > Local Certificate.
   • Set Type to Certificate. l Choose the Certificate file and the Key file for your certificate, and enter the Password.
   • If desired, you can change the Certificate Name.

The server certificate now appears in the list of Certificates.

3. Install the CA certificate.

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.

1. Go to System > Certificates and select Import > CA Certificate.
2. Select Local PC and then select the certificate file.

The CA certificate now appears in the list of External CA Certificates. In the example, it is called CA_Cert_1.

4. Configure PKI users and a user group.

To use certificate authentication, PKI users must be created in the CLI. Use the CLI console to enter the following commands:

config user peer

edit pki01

set ca CA_Cert_1 set subject User01

end l Ensure the subject matches the name of the user certificate. In this example, User01. Now that you have created a PKI user, a new menu is added to the GUI. a. Go to User& Device > PKI to see the new user.

1. Edit the user account and expand Two-factorauthentication.
2. Enable Require two-factorauthentication and set a Password for the account.
3. Go to User& Device > User> UserGroups and create a group sslvpngroup.
4. Add the PKI user pki01 to the group.

5. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to edit the full-access

This portal supports both web and tunnel mode.

1. Disable Enable Split Tunneling so that all SSL VPN traffic goes through the FortiGate.

6. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Set ServerCertificate to the authentication certificate.
   5. Enable Require Client Certificate.
   6. Under Authentication/Portal Mapping, set default Portal web-access for All OtherUsers/Groups.
   7. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal full-access.
7. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn certificate auth.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Set the Source Address to all and Source User to sslvpngroup.
   5. Set the Outgoing Interface to the local network interface so that the remote user can access the internal network. In this example: port1.
   6. Set Destination Address to the internal protected subnet 168.1.0.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Enable NAT.
   9. Configure any remaining firewall and security options as desired.
   10. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next

end

2. Install the CA certificate.

The server certificate is used for encrypting SSL VPN traffic and will be used for authentication. It is easier to install the server certificate from GUI. However, CLI can import a p12 certificate from a tftp server.

If you want to import a p12 certificate, put the certificate server_certificate.p12 on your tftp server, then run following command on the FortiGate.

execute vpn certificate local import tftp server_certificate.p12 <your tftp_server> p12 <your password for PKCS12 file>

To check server certificate is installed:

show vpn certificate local server_certificate

3. Install the CA certificate.

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.

It is easier to install the server certificate from GUI. However, CLI can import a CA certificates from a tftp server. If you want to import a CA certificate, put the CA certificate on your tftp server, then run following command on the FortiGate.

execute vpn certificate ca import tftp <your CA certificate name> <your tftp server>

To check that a new CA certificate is installed:

show vpn certificate ca

4. Configure PKI users and a user group.

config user peer

edit pki01

set ca CA_Cert_1 set subject User01 set two-factor enable set passwd <your-password>

end config user group edit “sslvpngroup” set member “pki01”

next

end

5. Configure SSL VPN web portal.

config vpn ssl web portal edit “full-access” set tunnel-mode enable set web-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling disable

next

end

6. Configure SSL VPN settings.

config vpn ssl settings set servercert “server_certificate” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set source-interface “wan1” set source-address “all” set default-portal “web-access” set reqclientcert enable config authentication-rule edit 1 set groups “sslvpngroup” set portal “full-access”

next

end

7. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL” set nat enable

next

end

Sample installation

To use the user certificate, you must first install it on the user’s PC. When the user tries to authenticate, the user certificate is checked against the CA certificate to verify that they match.

Every user should have a unique user certificate. This allows you to distinguish each user and revoke a specific user’s certificate, such as if a user no longer has VPN access.

To install the user certificate on Windows 7, 8, and 10:

1. Double-click the certificate file to open the Import Wizard.
2. Use the Import Wizard to import the certificate into the Personal store.

To install the user certificate on Mac OS X:

1. Open the certificate file, to open Keychain Access.
2. Double-click the certificate.
3. Expand Trust and select Always Trust.

To see the results of tunnel connection:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access > Configure VPN.
3. Add a new connection.

l Set VPN Type to SSL VPN. l Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 172.20.120.123.

4. Select Customize Port and set it to 10443.
5. Enable Client Certificate and select the authentication certificate.
6. Save your settings.
7. Use the credentials you’ve set up to connect to the SSL VPN tunnel.

If the certificate is correct, you can connect.

To see the results of web portal:

1. In a web browser, log into the portal http://172.20.120.123:10443.

A message requests a certificate for authentication.

2. Select the user certificate.
3. Enter your user credentials.

If the certificate is correct, you can connect to the SSL VPN web portal.

To check the SSL VPN connection using the GUI:

1. Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
2. Go to Log & Report > VPN Events and view the details for the SSL connection log.

To check the SSL VPN connection using the CLI:

get vpn ssl monitor SSL VPN Login Users:
Index User       Auth Type	Timeout	From     HTTP in/out    HTTPS in/out
0        pki01,cn=User01	1(1)	229      10.1.100.254 0/0      0/0
1        pki01,cn=User01 SSL VPN sessions:	1(1)	291      10.1.100.254 0/0      0/0
Index User       Source IP	Duration	I/O Bytes       Tunnel/Dest IP
0        pki01,cn=User01	10.1.100.254	9       22099/43228   10.212.134.200

SSL VPN multi-realm

This sample recipe shows how to create a multi-realm SSL VPN that provides different portals for different user groups.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0. d. Click OK.
   4. Go to Firewall & Objects > Address and create an address for internet QA_subnet with subnet 192.168.1.0/24 and HR_subnet with subnet 10.1.100.0/24.
2. Configure user and user group.
   1. Go to User& Device > UserDefinition to create local users qa-user1 and hr-user1.
   2. Go to User& Device > UserGroups to create separate user groups for web-only and full-access portals:
      • QA_group with member qa-user1.
      • HR_group with the member hr-user1.
   3. SSL VPN web portal configuration.
      1. Go to VPN > SSL-VPN Portals to create portal qa-tunnel.
      2. Enable tunnel-mode.
      3. Create a portal hr-web with web-mode enabled.
   4. SSL VPN realms configuration.
      1. Go to System > Feature Visibility to enable SSL-VPN Realms.
      2. Go to VPN > SSL-VPN Realms to create realms for qa and hr.
   5. SSL VPN settings configuration.
      1. Go to VPN > SSL-VPN Settings.
      2. Choose proper Listen on Interface, in this example, wan1.
      3. Listen on Port 10443.
      4. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
      5. Under Authentication/Portal Mapping, set default Portal Web-access for All OtherUsers/Groups.
      6. Create new Authentication/Portal Mapping for group QA_group mapping portal qa-tunnel.
      7. Specify realm with qa.
      8. Add another entry for group HR_group mapping portal hr-web.
      9. Specify realm with hr.
   6. SSL VPN firewall policy configuration.
      1. Go to Policy & Objects > IPv4 Policy.
      2. Create a firewall policy for QA access.
      3. Fill in the firewall policy name. In this example: QA sslvpn tunnel mode access.
      4. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
      5. Choose an Outgoing Interface. In this example: port1.
      6. Set the source to all and group to QA_group.
      7. In this example, the destination is the internal protected subnet QA_subnet.
      8. Set schedule to always, service to ALL, and Action to Accept.
      9. Click OK.
      10. Create a firewall policy for HR access.
      11. Fill in the firewall policy name. In this example: HR sslvpn web mode access.
      12. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
      13. Choose an Outgoing Interface. In this example: port1.
      14. Set the source to all and group to HR_group.
      15. In this example, the destination is the internal protected subnet HR_subnet.
      16. Set schedule to always, service to ALL, and Action to Accept.
      17. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0 next

end config firewall address edit “QA_subnet” set subnet 192.168.1.0 255.255.255.0

next edit “HR_subnet” set subnet 10.1.100.0 255.255.255.0

next

end

2. Configure user and user group.

config user local edit “qa_user1” set type password set passwd your-password

next

end config user group edit “QA_group” set member “qa_user1”

next

end config user local edit “hr_user1” set type password set passwd your-password

next

end config user group edit “HR_group” set member “hr_user1”

next

end

3. Configure SSL VPN web portal.

config vpn ssl web portal edit “qa-tunnel” set tunnel-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling enable set split-tunneling-routing-address “QA_subnet”

next

end config vpn ssl web portal edit “hr-web” set web-mode enable

next

end

4. Configure SSL VPN realms.

Using the GUI is the easiest way to configure SSL VPN realms.

1. Go to System > Feature Visibility to enable SSL-VPN Realms.
2. Go to VPN > SSL-VPN Realms to create realms for qa and hr.

5. Configure SSL VPN settings.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1” set source-interface “wan1” set source-address “all” set source-address6 “all” set default-portal “full-access” config authentication-rule edit 1 set groups “QA_group” set portal “qa-tunnel” set realm qa

next edit 2 set groups “HR_group” set portal “hr-web” set realm hr

next

end

6. Configure SSL VPN firewall policy.

Configure two firewall policies to allow remote QA user to access internal QA network and HR user to access HR network.

config firewall policy edit 1 set name “QA sslvnpn tunnel access” set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “QA_subnet” set groups “QA_group” set action accept set schedule “always” set service “ALL”

next edit 2 set name “HR sslvpn web access” set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “HR_subnet” set groups “HR_group” set action accept set schedule “always” set service “ALL”

next

end

To see the results for QA user:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access.
3. Add a new connection.

l Set VPN Type to SSL VPN. l Set Remote Gateway to https://172.20.120.123:10443/qa..

4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Use the credentials you’ve set up to connect to the SSL VPN tunnel.

If the user’s computer has AntiVirus software installed, a connection is established; otherwise FortiClient shows a compliance warning.

7. After connection, traffic to subnet 168.1.0 goes through the tunnel.
8. In FGT, go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
9. In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details of the traffic.

To see the results for HR user:

1. In a web browser, log into the portal https://172.20.120.123:10443/hr using the credentials you’ve set up to connect to the SSL VPN tunnel.
2. Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
3. Go to Log & Report > Traffic Log > Forward Traffic and view the details of the traffic.

SSL VPN tunnel mode host check

This topic provides a sample configuration of remote users accessing the corporate network through an SSL VPN by tunnel mode using FortiClient with AV host check.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
   4. Click OK.
   5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
2. Configure user and user group.
   1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
   2. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
3. SSL VPN web portal configuration.
   1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-split-tunnel-portal. Enable Split Tunneling.
   2. Select Routing Address.
4. SSL VPN settings configuration.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
   5. Under Authentication/Portal Mapping, set default Portal tunnel-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-split-tunnel-portal.
5. SSL VPN firewall policy configuration.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn tunnel access with av check.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Choose an Outgoing Interface. In this example: port1.
   5. Set the source to all and group to sslvpngroup.
   6. In this example, the destination is all.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Click OK.
6. Configure SSL VPN web portal to enable AV host-check.
   1. Open the CLI Console at the top right of the screen.
   2. Enter the following commands to enable the host to check for compliant AntiVirus software on the user’s computer:

config vpn ssl web portal

edit my-split-tunnel-access

set host-check av end

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root” set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root” set ip 192.168.1.99 255.255.255.0

next

endconfig firewall address edit “192.168.1.0” set subnet 192.168.1.0 255.255.255.0

next

end

2. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

3. Configure SSL VPN web portal.

config vpn ssl web portal edit “my-split-tunnel-portal” set tunnel-mode enable set split-tunneling enable

set split-tunneling-routing-address “192.168.1.0” set ip-pools “SSLVPN_TUNNEL_ADDR1”

next

end

4. Configure SSL VPN settings.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1” set source-interface “wan1” set source-address “all” set source-address6 “all”

set default-portal “full-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “my-split-tunnel-portal”

next

end

5. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL”

next

end

6. Configure SSL VPN web portal to enable AV host-check.

Configure SSL VPN web portal to enable the host to check for compliant AntiVirus software on the user’s computer:

config vpn ssl web portal

edit my-split-tunnel-access

set host-check av

end

To see the results:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access.
3. Add a new connection.

l Set VPN Type to SSL VPN. l Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 172.20.120.123.

4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Use the credentials you’ve set up to connect to the SSL VPN tunnel.

If the user’s computer has AntiVirus software installed, a connection is established; otherwise FortiClient shows a compliance warning.

7. After connection, traffic to 168.1.0 goes through the tunnel. Other traffic goes through local gateway.
8. In FGT, go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
9. In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

SSL VPN split tunnel for remote user

This topic provides a sample configuration of remote users accessing the corporate network and internet through an SSL VPN by tunnel mode using FortiClient but accessing the Internet without going through the SSL VPN tunnel.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address.

Port1 interface connects to the internal network.

1. Go to Network > Interface and edit the wan1
2. Set IP/Network Mask to 20.120.123/255.255.255.0.
3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
6. Configure user and user group.
   1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
   2. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
7. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-split-tunnel-portal. Enable Split Tunneling.
   2. Select Routing Address. 4. Configure SSL VPN settings.
   3. Go to VPN > SSL-VPN Settings.
   4. Choose proper Listen on Interface, in this example, wan1.
   5. Listen on Port 10443.
   6. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
   7. Under Authentication/Portal Mapping, set default Portal tunnel-access for All OtherUsers/Groups.
   8. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-split-tunnel-portal.
   9. Configure SSL VPN firewall policy.
8. Go to Policy & Objects > IPv4 Policy.
9. Fill in the firewall policy name. In this example: sslvpn split tunnel access.
10. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
11. Choose an Outgoing Interface. In this example: port1.
12. Set the source to all and group to sslvpngroup.
13. In this example, the destination is all.
14. Set schedule to always, service to ALL, and Action to Accept.
15. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet 192.168.1.0 255.255.255.0

next

end

2. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

3. Configure SSL VPN web portal.

config vpn ssl web portal edit “my-split-tunnel-portal” set tunnel-mode enable set split-tunneling enable

set split-tunneling-routing-address “192.168.1.0” set ip-pools “SSLVPN_TUNNEL_ADDR1”

next

end

4. Configure SSL VPN settings.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1” set source-interface “wan1” set source-address “all” set source-address6 “all” set default-portal “full-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “my-split-tunnel-portal”

next

end

5. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL”

next

end

To see the results:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access.
3. Add a new connection.

l Set VPN Type to SSL VPN. l Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 172.20.120.123.

4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Use the credentials you’ve set up to connect to the SSL VPN tunnel.
7. After connection, traffic to 168.1.0 goes through the tunnel. Other traffic goes through local gateway.
8. In FGT, go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
9. In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

SSL VPN full tunnel for remote user

This topic provides a sample configuration of remote users accessing the corporate network and internet through an SSL VPN by tunnel mode using FortiClient.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
   4. Click OK.
2. Configure user and user group.
   1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
   2. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
3. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-full-tunnel-portal. Disable Split Tunneling.
4. SSL VPN settings configuration.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
   5. Under Authentication/Portal Mapping, set default Portal tunnel-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-full-tunnel-portal.
5. SSL VPN firewall policy configuration.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn full tunnel access.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Choose an Outgoing Interface. In this example: port1.
   5. Set the source to all and group to sslvpngroup.
   6. In this example, the destination is all.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1”

set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

2. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

3. Configure SSL VPN web portal and predefine RDP bookmark for windows server.

config vpn ssl web portal edit “my-full-tunnel-portal” set tunnel-mode enable set split-tunneling disable set ip-pools “SSLVPN_TUNNEL_ADDR1”

next

end

4. Configure SSL VPN settings.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1” set source-interface “wan1” set source-address “all” set source-address6 “all” set default-portal “full-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “my-full-tunnel-portal”

next

end

5. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “all” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL”

next

end

To see the results:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access.
3. Add a new connection.
4. Set VPN Type to SSL VPN, set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
5. Select Customize Port and set it to 10443.
6. Save your settings.
7. Use the credentials you’ve set up to connect to the SSL VPN tunnel.
8. After connection, all traffic except the local subnet will go through the tunnel FGT.
9. Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
10. In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

SSL VPN web mode for remote user

This topic provides a sample configuration of remote users accessing the corporate network through an SSL VPN by web mode using a web browser.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0. d. Click OK.
   4. Go to Firewall & Objects > Address and create address for internet subnet 192.168.1.0.
2. Configure user and user group.
   1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
   2. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
3. Configure SSL VPN web portal.
4. Go to VPN > SSL-VPN Portals to create a web mode only portal my-web-portal.
5. Set Predefined Bookmarks forWindows server to type RDP.
6. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
   5. Under Authentication/Portal Mapping, set default Portal Web-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-Web-portal.
7. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn web mode access.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Choose an Outgoing Interface. In this example: port1.
   5. Set the Source to all and group to sslvpngroup.
   6. In this example, the destination is the internal protected subnet 168.1.0.
   7. Set Schedule to always, service to ALL, and Action to Accept.
   8. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next end

2. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

3. Configure SSL VPN web portal and predefine RDP bookmark for windows server.

config vpn ssl web portal edit “my-web-portal” set web-mode enable config bookmark-group edit “gui-bookmarks” config bookmarks edit “Windows Server” set apptype rdp set host “192.168.1.114” set port 3389

set logon-user “your-windows-server-user-name” set logon-password your-windows-server-password

next

end

next

end

next

end

4. Configure SSL VPN settings.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1” set source-interface “wan1” set source-address “all” set source-address6 “all” set default-portal “full-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “my-web-portal”

next

end

5. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client.

config firewall policy edit 1

set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL”

next

end

To see the results:

1. Open browser and log into the portal https://172.20.120.123:10443 using the credentials you’ve set up.
2. In the portal with the predefined bookmark, select the bookmark to begin an RDP session.
3. Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
4. Go to Log & Report > Traffic Log > Forward Traffic to view the details for the SSL entry.

Policy-based IPsec tunnel

This recipe provides an example configuration of policy-based IPsec tunnel. Site-to-site VPN between branch and HQ is used and HQ is the IPsec concentrator.

The following shows the network topology for this example:

To configure a policy-based IPsec tunnel using the GUI:

1. Configure the IPsec VPN at HQ:
   1. Go to VPN > IPsec Wizard, enter a VPN name (to_branch1 in this example), choose Custom, and then click Next:
      • Uncheck Enable IPsec Interface Mode.
      • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.2. l Choose port9 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
      • Click OK.
   2. Go to VPN > IPsec Wizard, enter a VPN name (to_branch2 in this example), choose Custom, and then click Next:
      • Uncheck Enable IPsec Interface Mode.
      • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.2. l Choose port9 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
      • Click OK.
   3. Configure the IPsec concentrator at HQ:
      1. Go to VPN > IPsec Concentrator, enter a name, in this example, branch.
      2. Add to_branch1 and to_branch2 as Members.
      3. Click OK.
   4. Configure the firewall policy:
      10. Choose the Incoming Interface, in this example, port10.
      11. Choose the Outgoing Interface, in this example, port9.
      12. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
      13. Select the VPN Tunnel, in this example, Branch1/Branch2.
      14. In this example, turn on Allow traffic to be initiated from the remote site.
      15. Click OK.
   5. Configure IPsec VPN at branch 1:
      1. Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
         • Uncheck Enable IPsec Interface Mode.
         • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.1. l Choose wan1 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
         • Click OK.
      2. Configure the firewall policy:
         1. Choose the Incoming Interface, in this example, internal.
         2. Choose the Outgoing Interface, in this example, wan1.
         3. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
         4. Select the VPN Tunnel, in this example, to_HQ.
         5. In this example, turn on Allow traffic to be initiated from the remote site.
         6. Click OK.
      3. Configure IPsec VPN at branch 2:
         1. Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
            • Uncheck Enable IPsec Interface Mode.
            • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.1. l Choose wan1 as interface.
            • In this example, set Authentication Method to Pre-shared Key and the Pre-shared Key is sample. In other cases, use the default.
            • Click OK.
         2. Configure the firewall policy:
            1. Choose the Incoming Interface, in this example, internal.
            2. Choose the Outgoing Interface, in this example, wan1.
            3. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
            4. Select the VPN Tunnel, in this example, to_HQ.
            5. In this example, turn on Allow traffic to be initiated from the remote site.
            6. Click OK.

To configure a policy-based IPsec tunnel using the CLI:

1. Configure the HQ WAN interface and static route:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0 next

edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next

end

2. Configure the HQ IPsec phase1 and phase2:

config vpn ipsec phase1 edit “to_branch1” set interface “port9” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 15.1.1.2 set psksecret sample

next

edit “to_branch2” set interface “port9” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 13.1.1.2 set psksecret sample

next

end

config vpn ipsec phase2 edit “to_branch1” set phase1name “to_branch1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next edit “to_branch2” set phase1name “to_branch2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

3. Configure the HQ firewall policy:

config firewall policy edit 1 set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “10.1.100.0” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_branch1” next

edit 2

set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “192.168.4.0” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_branch2”

next

end

4. Configure the HQ concentrator:

config vpn ipsec concentrator

edit “branch”

set member “to_branch1” “to_branch2”

next

end

5. Configure the branch WAN interface and static route:
6. Branch1:

config system interface

edit “wan1”

set alias “primary_WAN” set ip 15.1.1.2 255.255.255.0

next edit “internal”

set ip 10.1.100.1 255.255.255.0

next

end config router static

edit 1

set gateway 15.1.1.1 set device “wan1”

next

end

1. Branch2:

config system interface

edit “wan1”

set alias “primary_WAN” set ip 13.1.1.2 255.255.255.0

next edit “internal”

set ip 192.168.4.1 255.255.255.0

next

end config router static

edit 1

set gateway 13.1.1.1 set device “wan1”

next end

6. Configure the branch IPsec phase1 and phase2:
7. Branch1:

config vpn ipsec phase1 edit “to_HQ” set interface “wan1” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 22.1.1.1 set psksecret sample

next

end

config vpn ipsec phase2 edit “to_HQ” set phase1name “to_HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

1. Branch2:

config vpn ipsec phase1 edit “to_HQ” set interface “wan1” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 22.1.1.1 set psksecret sample

next

end

config vpn ipsec phase2 edit “to_HQ” set phase1name “to_HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

7. Configure the branch firewall policy:
   1. Branch1:

config firewall policy edit 1 set srcintf “internal” set dstintf “wan1” set srcaddr “10.1.100.0” set dstaddr “all” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_HQ”

next end

1. Branch2:

config firewall policy edit 1 set srcintf “internal” set dstintf “wan1” set srcaddr “192.168.4.0” set dstaddr “all” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_HQ”

next

end

8. Optionally, view the IPsec VPN tunnel list at HQ with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=to_branch1 ver=1 serial=4 22.1.1.1:0->15.1.1.2:0

bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0 ad=/0 stat: rxp=305409 txp=41985 rxb=47218630 txb=2130108 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_branch1 proto=0 sa=1 ref=3 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42604/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000680 itn=0

life: type=01 bytes=0/0 timeout=42932/43200

dec: spi=ca646442 esp=aes key=16 58c91d4463968dddccc4fd97de90a4b8 ah=sha1 key=20 c9176fe2fbc82ef7e726be9ad4af83eb1b55580a

enc: spi=747c10c4 esp=aes key=16 7cf0f75b784f697bc7f6d8b4bb8a83c1 ah=sha1 key=20 cdddc376a86f5ca0149346604a59af07a33b11c5

dec:pkts/bytes=1664/16310, enc:pkts/bytes=0/16354

npu_flag=03 npu_rgwy=15.1.1.2 npu_lgwy=22.1.1.1 npu_selid=3 dec_npuid=2 enc_npuid=2

—-

name=to_branch2 ver=1 serial=5 22.1.1.1:0->13.1.1.2:0

bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=7 ilast=2 olast=43228 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_branch2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=10226 type=00 soft=0 mtu=1280 expire=40489/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=42931/43200

dec: spi=ca646441 esp=aes key=16 57ab680d29d4aad4e373579fb50e9909 ah=sha1 key=20 12a2bc703d2615d917ff544eaff75a6d2c17f1fe

enc: spi=f9cffb61 esp=aes key=16 3d64da9feb893874e007babce0229259 ah=sha1 key=20 f92a3ad5e56cb8e89c47af4dac10bf4b4bebff16

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

npu_flag=00 npu_rgwy=13.1.1.2 npu_lgwy=22.1.1.1 npu_selid=4 dec_npuid=0 enc_npuid=0

9. Optionally, view the IPsec VPN concentrator at HQ with the diagnose vpn concentrator list command:

list all ipsec concentrator in vd 0

name=branch              ref=3          tuns=2 flags=0