Create a tunnel mode security policy
If your SSL VPN will provide tunnel mode operation, you need to create a security policy to enable traffic to pass between the SSL VPN virtual interface and the protected networks. This is in addition to the SSL VPN security policy that you created in the preceding section.
The SSL VPN virtual interface is the FortiGate unit end of the SSL tunnel that connects to the remote client. It is named ssl.<vdom_name>. In the root VDOM, for example, it is named ssl.root. If VDOMs are not enabled on your FortiGate unit, the SSL VPN virtual interface is also named ssl.root.
To configure the tunnel mode security policy - web-based manager:
1. Go to Policy & Objects > Policy > IPv4 and select Create New.
2. Enter the following information and select OK.
Incoming Interface | Select the virtual SSL VPN interface, such as ssl.root. |
Source Address | Select the firewall address you created that represents the IP address range assigned to SSL VPN clients, such as SSL_VPN_tunnel_users. |
Source User(s) | Select to allow access only to holders of a (shared) group certificate. The holders of the group certificate must be members of an SSL VPN user group, and the name of that user group must be present in the Allowed field. See “Strong authentication with security certificates”. |
Outgoing Interface | Select the FortiGate network interface that connects to the protected network. |
Destination Address | Select the firewall address that represents the networks and servers to which the SSL VPN clients will connect. To select multiple firewall addresses or address groups, select the plus sign next to the drop-down list. |
Service | Select services in the left list and use the right arrow button to move them to the right list. Select the ALL service to allow the user group access to all services. |
Action | Select Accept. |
Enable NAT | Select Enable NAT. (Optional) |
To configure the tunnel mode security policy - CLI:
config firewall policy
edit <id>
set srcintf ssl.root(sslvpn tunnel interface)
set dstintf <dst_interface_name>
set srcaddr <tunnel_ip_address>
set dstaddr <protected_network_address_name>
set schedule always
set service ALL
set nat enable
end
This policy enables the SSL VPN client to initiate communication with hosts on the protected network. If you want to enable hosts on the protected network to initiate communication with the SSL VPN client, you should create another Accept policy like the preceding one but with the source and destination settings reversed.
You must also add a static route for tunnel mode operation.
See Also