Create a tunnel mode security policy

If your SSL VPN will provide tunnel mode operation, you need to create a security policy to enable traffic to pass between the SSL VPN virtual interface and the protected networks. This is in addition to the SSL VPN security policy that you created in the preceding section.

The SSL VPN virtual interface is the FortiGate unit end of the SSL tunnel that connects to the remote client. It is named ssl.<vdom_name>. In the root VDOM, for example, it is named ssl.root. If VDOMs are not enabled on your FortiGate unit, the SSL VPN virtual interface is also named ssl.root.


Incoming Interface	Select the virtual SSL VPN interface, such as ssl.root.
Source Address	Select the firewall address you created that represents the IP address range assigned to SSL VPN clients, such as SSL_VPN_tunnel_users.
Source User(s)	Select to allow access only to holders of a (shared) group certificate. The holders of the group certificate must be members of an SSL VPN user group, and the name of that user group must be present in the Allowed field. See “Strong authentication with security certificates”.
Outgoing Interface	Select the FortiGate network interface that connects to the protected network.
Destination Address	Select the firewall address that represents the networks and servers to which the SSL VPN clients will connect. To select multiple firewall addresses or address groups, select the plus sign next to the drop-down list.
Service	Select services in the left list and use the right arrow button to move them to the right list. Select the ALL service to allow the user group access to all services.
Action	Select Accept.
Enable NAT	Select Enable NAT. (Optional)

This policy enables the SSL VPN client to initiate communication with hosts on the protected network. If you want to enable hosts on the protected network to initiate communication with the SSL VPN client, you should create another Accept policy like the preceding one but with the source and destination settings reversed.