Saturday, March 20, 2010

SSL-VPN, fortinet

outside network ---> fortinet (office) --> netscreen (data center) --> switch -->

ssl.root is configured to be (when you connect using ssl-vpn + split tunnelin, you are handed over with some IP in that range after auth).

And this ip, say, functions as the default gateway for all routes in this split tunneling.

1. create ipsec vpn between fortinet and netscreen.
1a. create phase 1 and phase 2 on both sides. In phase 1, you gotta specify remote gateway, along wiht pfs/nopfs, dh grp, preshared/dsa/rsa, digest version. Choose phase 2 on top of this: here, ya gotta specify local and remote addies, say to on fortinet. Same with netscreen under proxy id.

2. create policies between untrust to trust, since is in the trust zone of netscreen, and is coming off the untrust interface. Bidirectional

3. create policies on netscreen, click both inbound and outbound. destination inetrface: wan/untrusted. source int: ssl.root, along with addies, ENCRYPT/IPSEC policy.

Now, you think everything is ready, but it is not the case.

When you connect to the vpn, you don't see a route for However,when you manually add "route add mask", you can access subnet.

So, how to slap routing entries to the client?

SSL-VPN policy does the trick

ssl.root ( ---IPSEC--- wan1 (

So, you gotta add SSL-VPN policy from wan1 to wan1

wan1 ( --SSL-VPN--wan1 (

No comments: