- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: RE: VDOM 1 over root SSL VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VDOM 1 over root SSL VPN
hello everybody,
i do some vdom testing in our company lab and i have one problem.
I have 2 Vdom´s Root and VDOM1 they have a Vlink1 with no ip (0.0.0.0)
the WAN and Internal Interfaces are in root Vdom.
On the Internal interface i created a sub interface (Vlan77) for my Vdom to be able to access our lab Lan.
i created static routes for LAN, and WAN (my Wan static root looks like 0.0.0.0 over vlink1)
i created a Win7 VM Maschine and put it in Vlan77.
I Also created the firewall policies properli, so now i am able to connect clients on my lan and i have access to the Internet.
But i dont realy understand how to configure now the SSL VPN for my Vdom?
Virtual interface on root mapping to my vlink1 doesnt work properly...
any ideas?
thank you in advance
NSE 8
NSE 1 - 7
NSE 8
NSE 1 - 7
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
root VDOM:
1.
SSL VPN policy to allow SSL VPN access to the firewall for user/group:
from WAN
to vlink
from all
to VLAN
identity-based-policy:
user/group name
service
ssl-vpn portal
2.
Firewall policy to enable access to VLAN from ssl.root
from ssl.root
to vlink
source all
dst VLAN subnet
service all/x
VLAN vdom:
1. enable access from the other side of the vlink
from vlink
to VLAN
src all
dst VLAN subnet
service all/x
That should do it. As you said, you have static routes in place to point at the vlink in root VDOM to the VLAN and vice versa from VLAN vdom to root for SSL VPN subnet.
Run diagnose sniffer packet any ' host VLAN IP' in root VDOM when you VPN in and ping the VLAN address.
You can do the same in the VLAN vDOM to see the packet flow.
' diagnose debug flow' to check that no policy is blocking the access.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thank you that sounds good. i will try it tommorow.
but what about the IP adress it should acces from the Internet? should i pick a spezific Port number for my Vdom1 ?
because root Vdom allready has a VPN SSL
NSE 8
NSE 1 - 7
NSE 8
NSE 1 - 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hmmm...
the problem is.. i have only 1 public IP Adress. so i must use the Virtual IP on the root Vdom.
but there i need my public Adress with a port the SSL VPN will connect to and an IP that will be mapped in my VDOM1.
But my Vlink1 has an ip of 0.0.0.0 ... how can i solve this problem?
if the Vlink1 had an private IP like 192.168.2.1 i could easely map it. but my vlink1 has no ip....
NSE 8
NSE 1 - 7
NSE 8
NSE 1 - 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if I understand it correctly, but what I think you have is this:
Public IP - [root vDom] - unnumbered vDom link (root.vlink0) ---- unnumbered vDom link (root.vlink1) - [test vDom] -- private IP on VLANx
What I suggested would work with this configuration.
2 policies on root vDom to enable SSL VPN in and than to enable traffic going to the vDom link from ssl.root.
1 policy in test vDom to enable traffic coming in from vDom link to LAN.
You need static routes in root.vDom to lan subnet pointing at the vDom link (root.vlink0)
And another static root in test vDom pointing at the SSL VPN subnet range via the vDom link (root.vlink1).
If you configured it correctly the SSL VPN user as the minimum should be able to ping the firewall LAN IP address via the 2 vDoms.
SSL VPN configuration only reguired on the vDOM (root in your case) where you configured the public IP so they can connect to it remotely.
VDOM links don' t need to have IPs configured. Have a look at the documentation about the benefit to have/not to have IPs on them.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i allready set all the policies and routes right.
the Problem is.
right now u can accsess the SSL VPN root Vdom over a public ip adress 143.33.22.10:4443 (only an example adress)
now i want to have SSL VPN Adress over 143.33.22.10:4444 (for example)
so actualy i have to use the Virtual IP on root vdomm and mapp the 143.33.22.10:4443 to my Vdom1 over vlink. but i cant, because i have to enter an
IP Adress for mapping public > private. I cant choose an Interface.
So the only way to do it , is to give the vlink´s IP Adresses?
you know what i mean?
NSE 8
NSE 1 - 7
NSE 8
NSE 1 - 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is pretty old, but it took some digging and experimentation to figure this out for my situation, where I wanted each Tenant VDOM to retain control over SSLVPN authentication/settings, so I wanted to leave some crumbs for the next person. Here's what worked for me on FG200D with NAT root VDOM and multiple NAT tenant VDOMs.
1 - Create VDOM link between root and tenant VDOM with IP on each end (e.g. - root=10.10.10.9/30, tenant=10.10.10.10/30).
2 - Create VIP in root for external interface/IP mapped to tenant VLink IP (I also port-forwarded SSLVPN port).
3 - Create policy in root to permit from external interface to VLink interface, from All to VIP object, service=SSLVPN port, with NAT. You do lose visibility of client source address doing this, but that was acceptable for me. Alternatively you can disable NAT, but then you have to create a route to get back to the un-NAT'd source via the root VLink IP in the tenant VDOM, which could be troublesome if you have already have default routes going somewhere else; policy routes might help.
4 - Configure tenant SSLVPN portals and settings as desired, make sure to add tenant VLink interface to "Listen on Interfaces:" list or use "Any".
In my case, I wanted to use only one external IP for all tenant SSLVPN portals, so each tenant has a unique SSLVPN listening port, and each VIP and policy in the root VDOM reflects that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have the same setup but a different approach
1: we have a sslvpn listener in each tennant & on the intervdom link ( we route the public over this "wan link" )
2: fwpolicies that allow root vdim to that sslvpn listener
3: port 443 is used since each public is a unique address within that vdom
4: a ldap-auth server for that vdom
5: a user local/group for that vdom
6: obviously correct sslvpn policies per-vdom
The vip approach would work just fine also and you can move all vips at wan1 ( for example ) of vdm-root and chew up a ipv4-address at the root-vdom.
In each case "root" vdom is the controlling factor 6 or half-dozen but the same outcome. fwpolicies sessions are in all vdoms that are applicable
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- BGP Peering - My Fortigate -... 249 Views
- Clone / Duplicate VDOM 75 Views
- To redirect/rewrite website root URL to... 186 Views
- IPSec client is blocked by implicit... 448 Views
- Routing Issue on FortiGate 7.2.8 290 Views
Labels
-
FortiGate
6,538 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
Customer Service
70 -
FortiToken
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
SSL SSH inspection
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
Schedule
1 -
4.0MR1
1 -
SDN connector
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
FortiManager-VM
1 -
Zone
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.