Saturday, March 20, 2010

SSL-VPN, fortinet

outside network ---> fortinet (office) --> netscreen (data center) --> switch --> 172.31.0.0/24

ssl.root is configured to be 10.100.0.0/24 (when you connect using ssl-vpn + split tunnelin, you are handed over with some IP in that range after auth).

And this ip, say 10.100.0.3, functions as the default gateway for all routes in this split tunneling.


1. create ipsec vpn between fortinet and netscreen.
1a. create phase 1 and phase 2 on both sides. In phase 1, you gotta specify remote gateway, along wiht pfs/nopfs, dh grp, preshared/dsa/rsa, digest version. Choose phase 2 on top of this: here, ya gotta specify local and remote addies, say 10.100.0.0/24 to 172.31.0.0/24 on fortinet. Same with netscreen under proxy id.

2. create policies between untrust to trust, since 172.31.0.0 is in the trust zone of netscreen, and 10.100.0.0/24 is coming off the untrust interface. Bidirectional

3. create policies on netscreen, click both inbound and outbound. destination inetrface: wan/untrusted. source int: ssl.root, along with addies, ENCRYPT/IPSEC policy.

Now, you think everything is ready, but it is not the case.

When you connect to the vpn, you don't see a route for 172.31.0.0. However,when you manually add "route add 172.31.0.0 mask 255.255.255.0 10.100.0.3", you can access 172.31.0.0/24 subnet.

So, how to slap routing entries to the client?

SSL-VPN policy does the trick


ssl.root (10.100.0.0/24) ---IPSEC--- wan1 (172.31.0.0/24)

So, you gotta add SSL-VPN policy from wan1 to wan1

wan1 (0.0.0.0/0) --SSL-VPN--wan1 (172.31.0.0/24)

No comments: