Configure Remote Access: VPN Client-to-Site
Using a VPN allows you to organize secure remote access to corporate services and data hosted on Selectel infrastructure via the Internet. Using Selectel's FortiGate hardware firewall, you can set up remote access to organizations' private networks based on SSL, IPsec and L2TP over IPsec technologies, using various software installed on remote users' computers, laptops and cell phones, such as:
- Fortinet's FortiClient client;
- a client from Cisco;
- through the operating system.
Creating a VPN tunnel on the firewall requires that the already were determined:
- external interface through which the devices will be connected;
- internal network;
- Access to the FortiGate web interface.
SSL-VPN Modes
-
Tunnel mode is a mode in which the SSL VPN client encrypts all traffic from the remote client computer and sends it to the FortiGate unit through an SSL VPN tunnel over an HTTPS link between the user and the FortiGate unit. Tunnel mode supports multiple protocols and applications. Tunnel mode requires a standalone SSL-VPN client, FortiClient, to connect to the FortiGate. FortiClient adds a virtual network adapter, designated fortissl, to the user's computer. This virtual adapter dynamically obtains an IP address from the FortiGate each time the FortiGate establishes a new VPN connection. Inside the tunnel, all traffic is encapsulated in SSL / TLS. The main advantage of tunnel mode over web mode is that once the VPN is established, any IP network application running on the client can send traffic through the tunnel. The main disadvantage is that tunnel mode requires the installation of a software VPN client that requires administrator privileges;
-
Web mode — A mode that provides network access using a web browser with built-in SSL encryption. Users authenticate to the FortiGate SSL VPN Web Panel, which provides access to network services and resources including HTTP / HTTPS, Telnet, FTP, SMB / CIFS, VNC, RDP and SSH. The Bookmarks section of the SSL-VPN portal page contains links to all or some of the resources available for the user to access. The Quick Connection widget allows users to enter the URL or IP address of the server they wish to connect to. The web-SSL-VPN user uses these two widgets to access the internal network. The main advantage of the web mode is that it usually does not require additional software to be installed. This mode has the following limitations:
- all interaction with the internal network must be done exclusively using a browser (through a web portal). External network applications running on the user's computer cannot send data through the VPN;
- A secure HTTP / HTTPS gateway mechanism that does not work to access everything, but only a few popular protocols such as HTTP, FTP and Windows shares.
-
Split mode is a tunnel mode enabled tunnel mode that routes traffic only to the specified network through the FortiGate unit. When split tunneling is enabled, only traffic destined for the private network behind the remote FortiGate unit is routed through the tunnel. All other traffic is sent through the normal encrypted route;
-
Full mode — Tunneling mode, when split tunneling is disabled, all IP traffic generated by the client computer, including Internet traffic, is routed through the SSL-VPN tunnel to the FortiGate unit. This sets the FortiGate as the default gateway for the host. You can use this method to apply security features to traffic on these remote clients and to monitor or restrict Internet access. This increases latency and bandwidth utilization.
Configure SSL VPN
Create user groups
Users will be given remote access and will be able to utilize SSL VPN technology.
- Go to the field User & Authentication → User Definition → Create New.
- Create a local user, provide a username and password, and contact information if necessary.
- Merge the created users into a group.
- To create a user group, go to the User & Authentication → User Groups → Create New.
- Specify the group name, Firewall type, and group members created previously.
Create an SSL VPN tunnel
- Go to the field VPN → SSL-VPN Portal → Create New.
- Specify the name, include Tunnel Mode.
- In the field Source IP Pools specify the address pool (IP Range) that will be assigned to remote users. You can add a pool created by default SSLVPN_TUNNEL_ADDR1, or your own, customized in a similar way.
In the portal settings, you can also enable client checks, restrict certain OS versions, and set other client connection parameters.
Split mode
When split tunnel is created, traffic is routed only to the designated network.
- Activate Enable Split Tunneling.
- Select Routing AddressTo determine the destination network that will be routed through the tunnel, that is, these addresses will be accessed by remote clients.
- Click + and select an address from the existing ones.
- To create an address in the pop-up window, click the button Create or in the field Policy & Objects → Addresses → Create New.
Full mode
If necessary full mode tunnelIf you want all remote client traffic to pass through the FortiGate unit, the parameter Enable Split Tunneling needs to be turned off.
Web mode
Another setting is the parameter Enable Web Modeto enable the mode web. Here you can choose from:
- portal name (field Portal Message);
- design;
- other settings.
Of greatest interest is the field of User Bookmarks — option allows users to create their own bookmarks. In the field Predefined Bookmarks you can create bookmarks centrally for all users. For example, you can create a bookmark for connecting to a remote desktop via RDP. This completes the configuration of SSL Tunnel itself.
Configure general SSL VPN settings
- Go to the field VPN → SSL-VPN Settings.
- Specify the "listening" interface, that is, the external interface to which connections from remote users (wan1 in this example) will arrive, and the port on which they will connect. When defining the port, it can be the same as others that are defined for administrative access. For example, the default is 443, which may conflict with the HTTPS port, and the FortiGate unit will display the following message:
- Specify in the parameter Restrict Access significance Allow access from any hosts or, if you want to restrict access, press Limit access to specific hosts and grant access to specific hosts.
- Specify the period of inactivity after which the user will be forcibly disconnected from the VPN by enabling the parameter Idle Logout and determining the value in the parameter Inactive Forthe default is 300 seconds.
- Select the certificate for the parameter Server Certificate. This certificate is used to authenticate and encrypt SSL VPN traffic. By default, it is the built-in Fortinet_Factory. It is possible to work with the built-in certificate, but users will see a warning that the certificate is invalid because there is no CA certificate in the certificate store that signed the current SSL certificate. It is recommended to purchase a certificate for your server and download it for authentication.
Add a certificate for authentication
-
Go to the section System → Certificates.
-
Make sure that in the System → Feature Visibility included Certificates.
-
Select Import → Local Certificate.
-
In the window that appears, set Type — Certificate.
-
Download Certificate file and Key file for your certificate and enter the password in the Password.
-
The server certificate will appear in the list Certificates.
-
Install a CA certificate, which is a certificate that signs both the server certificate and the user certificate, for example, to authenticate SSL VPN users. To do this, under System → Certificates select Import → CA Certificate.
-
In the window that appears, set Type — File and download the certificate file.
-
CA certificate will appear in the list External CA Certificates.
-
Configure PKI users and a user group to use certificate authentication by using the CLI to create PKI users:
config user peer
edit pki01
set ca CA_Cert_Name
set subject User_Name
next
end -
Make sure that the subject matches the name of the certificate user. When you create a PKI user, a new menu is added to the GUI where you can continue with the configuration.
-
Go to User & Authentication → PKIto select a new user.
-
Click Editto edit the user account and set the Two-factor authentication.
-
Make sure that this user is in the user group for the SSL VPN created earlier (see "SSL VPN User Group" in this chapter). Creating a user group).
You can also verify remote user certificates by enabling the parameter Require Client Certificate. In the section Authentication/Portal Mapping you need to map an SSL portal to a user group. By default, all users have access to the same portals. This table allows you to map different portals to different user groups. Create a new entry in the table by clicking Create New and defining the portal and user group. After configuration, click Apply and proceed to create the security policy.
Customize the policy
In order for users to successfully connect to our VPN and have the necessary access, we need to create a policy that allows access from the ssl.root interface to the local network interface.
- Go to the field Policy & Objects → Firewall Policy → Create New.
- Specify the name of the policy, the inbound interface should be SSL-VPN tunnel interface(ssl.root).
- Select the outgoing interface, in this case it is the internal lan interface.
- In the field Source select previously created user group in this case it's SSLVPNGROUP, and the address object all.
- In the field Destination select the desired local network.
- Specify the required services and save the policy.
Customize FortiClient
The FortiNet FortiClient is available for free download at official website. FortiClient is compatible with multiple platforms, with free SSL VPN available on each platform. You can also purchase a license for the client, which provides additional features and technical support. For usage and compatibility details, please also visit the official website at Technical Specification.
To configure the connection on the client:
- Go to the section REMOTE ACCESS and select SSL-VPN.
- Specify the connection name, the FortiGate IP address, and the port the client is connecting to (configured under Configuring the SSL VPN General Settings).
- If necessary, select certificates and authentication options (either prompt for login and password each time you connect, or save the login).
- Save this connection.
- Try connecting with the connection name, username, and password.
If the SSL portal was previously allowed to have web modeIf you are using a browser, you can connect using the browser, or you can use a created bookmark without using FortiClient:
- Enter the address of your FortiGate unit and the port on which the connection is available in the address bar (see in the Configuring the SSL VPN General Settings).
- Authorize by entering your user name and password.
Configure IPSec VPN
Create user groups
To create a VPN tunnel over IPsec, you must create users who will be granted remote access and group them together.
- Go to the field User & Authentication → User Definition → Create New.
- Create a local user, provide a username and password, and contact information if necessary.
- Merge the created users into a group.
- To create a user group, go to the User & Authentication → User Groups → Create New.
- Specify the group name, Firewall type, and group members created previously.
IPSec Wizard
To create the tunnel itself, you can use a special IPsec Wizard that provides the necessary configuration templates:
- Go to the section VPN → IPsec Wizard.
- At the stage VPN Setup enter the name of the tunnel.
- Select the type of tunnel Remote Access and the type of remote device Client-based and FortiClientThis indicates that the FortiClient client is being used to connect.
- Press the button Next.
- At the stage Authentication Specify the incoming interface on which connections will be received (in this case it is wan1).
- Select the authentication type: Pre-shared key or certificate. In this case, a secret key is selected and its value is entered in the Pre-shared key parameter.
- Specify previously created user group who will be granted access for connections.
- At the stage Policy & Routing specify the local interface in the drop-down menu to which remote clients will connect.
- In the parameter Local Address specify the subnet to which users will have access. In this case, the selected address object is all.
- To select a specific subnet, press + and select an address from the existing ones.
- To create an address in the pop-up window, click the button Create or in the field Policy & Objects → Addresses → Create New.
- In the field Client Address Range specify the address pool that will be assigned to remote clients on connection.
- Make sure that these addresses do not match the internal addressing. Leave in Subnet Mask default value.
- Field DNS Server allows you to select the DNS server that remote users will use when connecting to the tunnel. In this case, the following is selected systemic.
- Parameter Enable Split Tunnel Allows you to give users access to only specific subnets, rather than letting all of their traffic go through the FortiGate.
- Option Allow Endpoint Registration allows you to obtain various information about remote points and make decisions based on this information (for example, whether to allow a remote point to connect or not).
- At the stage Client Options you can configure client options: password saving, auto-connection and continuous connection.
- After the performed actions, the tunnel is created and a summary of the objects created by the assistant appears on the screen.
Connect FortiClient
The FortiNet FortiClient is available for free download at official website. FortiClient is compatible with multiple platforms, with free SSL VPN available on each platform. You can also purchase a license for the client, which provides additional features and technical support. For usage and compatibility details, please also visit the official website at Technical Specification.
To configure the connection on the client:
-
Go to REMOTE ACCESS and select IPsec VPN.
-
Specify the connection name, FortiGate IP address, and authentication method. In this case, select Pre-shared key and enter the secret key value as previously configured.
-
In the Authentication field, select:
- option Prompt on loginIf you want FortiClient to prompt you for a username and password each time you connect;
- option Save loginIn this case, you must enter the login in the Username field. In this case, you must enter the login in the Username field.
-
Save this connection.
After that, select the name of the saved connection, enter the user name created in step 1 and its password, and click the Connect.
Configure L2TP over IPsec
Create user groups
To create a VPN tunnel over IPsec, you must create users who will be granted remote access and group them together.
- Go to the field User & Authentication → User Definition → Create New.
- Create a local user, provide a username and password, and contact information if necessary.
- Merge the created users into a group.
- To create a user group, go to the User & Authentication → User Groups → Create New.
- Specify the group name, Firewall type, and group members created previously.
IPSec Wizard
To configure an L2TP tunnel over IPsec:
- Go to VPN → IPsec Wizard, to use a special assistant.
- Select the type of template Remote Access.
- In the parameter Remote Device Type — Native and Windows Native.
- In the field Name enter a name for the tunnel.
- Select as Incoming Interface external interface through which remote users will connect. In this case it is wan1.
- For Authentication Method Select Pre-shared Key and enter the value of the secret key in the field below. This key must be entered on the client when configuring the VPN connection.
- In the parameter User Group enter created user group.
- At the stage Policy & Routing specify the local interface in the drop-down menu to which remote clients will connect.
- In the parameter Local Address specify the subnet to which users will have access. In this case, the selected address object is all.
- To select a specific subnet, press + and select an address from the existing ones.
- To create an address in the pop-up window, click the button Create or in the field Policy & Objects → Addresses → Create New.
- In the field Client Address Range specify the address pool that will be assigned to remote clients on connection.
- Make sure that these addresses do not match the internal addressing.
- Leave it in Subnet Mask default value.
- Press the button Create.
After that, the tunnel will be created and a summary of the created objects will appear on the screen.
To set up a connection in Windows
- Go to Network and Sharing Center → Set up a new connection or network.
- In the window that appears, select the option Connect to a workplace, then → Use my Internet connection (VPN).
- In the field Internet address enter the FortiGate's IP address.
- In the field Destination name enter the name of the connection to be created.
- After that, the created connection will appear among the available networks.
- In the window. Network and Sharing Center tab Change adapter settings.
- Among the networks that appear, select the VPN connection you created.
- Right-click to select Properties.
- In the window that appears Properties tab Security.
- In the parameter Type of VPN select Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec).
- Go to Advanced settings.
- Select an option Use preshared for authentication.
- In the field Key enter the value of the secret key that you specified when to set up a tunnel on the FortiGate.
- Press the button OK to connect.
- Enter the username you created earlier and the password for it.