Hot!5.4.5, SSLVPN full tunnel mode and virtual-wan-link

Author
bmekler
Bronze Member
  • Total Posts : 54
  • Scores: 2
  • Reward points: 0
  • Joined: 2010/02/28 06:09:43
  • Status: offline
2017/06/30 01:24:07 (permalink) 5.4
0

5.4.5, SSLVPN full tunnel mode and virtual-wan-link

I'm trying to consolidate several WAN links on a 100D running 5.4.5 into a WAN LLB link, and there is a problem: we're using SSL VPN full tunnel mode (not split tunnel) and there does not appear to be a way to create an ssl.root -> virtual-wan-link policy; selecting one removes the other from selection option. Is there some prerequisite for this that I'm missing, or are WAN LLB and SSL full tunnel modes currently incompatible?
#1

9 Replies Related Threads

    topetry
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/05/15 01:32:41
    • Status: offline
    Re: 5.4.5, SSLVPN full tunnel mode and virtual-wan-link 2017/07/04 22:42:16 (permalink)
    0
    Yesterday I was running into the same thing. To create the WAN LLB interface I had to free up our 2 WAN interfaces so I replaced them with an unused interface in all policies. After this I created the WAN LLB interface and reassigned it to the policies. Redundant internet connection was working as expected but I couldn't assign the WAN LLB interface or one of the to physical WAN interfaces to the SSL.root<->WAN policy. After this I rolled back. I'm also using 5.4.5 and now I'm also questioning If this 2 features (WAN LLB and SSL VPN) are incompatible (within the same vdom)?
    #2
    bmekler
    Bronze Member
    • Total Posts : 54
    • Scores: 2
    • Reward points: 0
    • Joined: 2010/02/28 06:09:43
    • Status: offline
    Re: 5.4.5, SSLVPN full tunnel mode and virtual-wan-link 2017/07/05 00:29:30 (permalink)
    0
    I opened a ticket with support and they told me as much. I suppose I'll have to use zones when I need full tunnel VPN, same way I did before they added WAN LLB in 5.2.
    #3
    Sunil Panchal_NSE7
    Bronze Member
    • Total Posts : 37
    • Scores: 1
    • Reward points: 0
    • Joined: 2016/03/19 22:18:58
    • Status: offline
    Re: 5.4.5, SSLVPN full tunnel mode and virtual-wan-link 2017/07/05 01:03:44 (permalink)
    0
    Dear friends, 
                          wan-load balance  and ssl vpn are two different technology .In wan-load you are going out with different Publi IP because you have marge all wan to get redundant internet and wan connection is terminated on you firewall  with gateway and static routes.
    But in SSL vpn you are first find the Public IP  then using credential you are login.
    you can merge wan IP from out side to use that service . Per wan port theri is seperate SSL link need to be created .
    may be foritOS 5.6 can help you in that thing .
     
    best regards  
    #4
    topetry
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/05/15 01:32:41
    • Status: offline
    Re: 5.4.5, SSLVPN full tunnel mode and virtual-wan-link 2017/07/05 01:23:12 (permalink)
    0
    Hi. It's clear that we are talking about two different features but it seems that if you make use of WAN LLB you are not able to use SSLVPN Tunnelmode. For SSLVPN Tunnelmode you need to have a ssl.root-internal and an ssl.root-wan policy. The thing is that if you have bundled the WAN interfaces to a WAN LLB link you are not able to select one of this interfaces for the ssl.root-wan policy. They are not offered for selction. In theory it should be possible to use the WAN LLB feature for outgoing connections only and leave SSL VPN untouched but it isn't implemented this way. The tutorial for 5.6 looks the same. 
    #5
    bmekler
    Bronze Member
    • Total Posts : 54
    • Scores: 2
    • Reward points: 0
    • Joined: 2010/02/28 06:09:43
    • Status: offline
    Re: 5.4.5, SSLVPN full tunnel mode and virtual-wan-link 2017/07/05 02:58:24 (permalink)
    0
    Exactly, and you can still use SSL VPN with WAN LLB - you can select the individual WAN interfaces in SSL VPN settings as available for incoming connections, and you can create ssl.root -> whatever interface policies just fine, so split tunnel mode works, except for ssl.root -> virtual-wan-link which denies you full tunneling.
    #6
    Rafael Rosseto
    Silver Member
    • Total Posts : 73
    • Scores: 0
    • Reward points: 0
    • Joined: 2010/07/14 13:26:06
    • Status: offline
    Re: 5.4.5, SSLVPN full tunnel mode and virtual-wan-link 2017/08/22 07:40:44 (permalink)
    0
    So it's not possible to use SSL VPN with WanLink to route some traffic to Internet via VPN, in version 5.4?
     
    I was running version 5.2.10 and it works fine, then I upgrade to 5.4.5, now I'm not able to configure this anymore.
    #7
    Rafael Rosseto
    Silver Member
    • Total Posts : 73
    • Scores: 0
    • Reward points: 0
    • Joined: 2010/07/14 13:26:06
    • Status: offline
    Re: 5.4.5, SSLVPN full tunnel mode and virtual-wan-link 2017/08/22 07:51:03 (permalink)
    0
    Just to add some info, If I create a rule with dstinterface ANY, the traffic is routable to Internet, but use ANY is not acceptable to me.
    #8
    Fullmoon
    Platinum Member
    • Total Posts : 944
    • Scores: 16
    • Reward points: 0
    • Joined: 2010/08/02 18:02:10
    • Status: offline
    Re: 5.4.5, SSLVPN full tunnel mode and virtual-wan-link 2017/08/22 18:13:48 (permalink)
    0
    in fortios 5.6.x you have now the capability to create a rule from ssl.root-WAN LLB.

    Fortigate Newbie
    #9
    David P28
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/10/23 07:17:26
    • Status: offline
    Re: 5.4.5, SSLVPN full tunnel mode and virtual-wan-link 2020/10/28 01:33:28 (permalink)
    0
    Thank you for your answer. I knew that my firmware was old, but it worked perfectly until now. So i will try to migrate my devices this week and give you the result.
    Best regards,
    #10
    Jump to:
    © 2020 APG vNext Commercial Version 5.5