Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bmekler
New Contributor III

5.4.5, SSLVPN full tunnel mode and virtual-wan-link

I'm trying to consolidate several WAN links on a 100D running 5.4.5 into a WAN LLB link, and there is a problem: we're using SSL VPN full tunnel mode (not split tunnel) and there does not appear to be a way to create an ssl.root -> virtual-wan-link policy; selecting one removes the other from selection option. Is there some prerequisite for this that I'm missing, or are WAN LLB and SSL full tunnel modes currently incompatible?

9 REPLIES 9
topetry
New Contributor

Yesterday I was running into the same thing. To create the WAN LLB interface I had to free up our 2 WAN interfaces so I replaced them with an unused interface in all policies. After this I created the WAN LLB interface and reassigned it to the policies. Redundant internet connection was working as expected but I couldn't assign the WAN LLB interface or one of the to physical WAN interfaces to the SSL.root<->WAN policy. After this I rolled back. I'm also using 5.4.5 and now I'm also questioning If this 2 features (WAN LLB and SSL VPN) are incompatible (within the same vdom)?

bmekler
New Contributor III

I opened a ticket with support and they told me as much. I suppose I'll have to use zones when I need full tunnel VPN, same way I did before they added WAN LLB in 5.2.

Sunil_Panchal_NSE7

Dear friends, 

                      wan-load balance  and ssl vpn are two different technology .In wan-load you are going out with different Publi IP because you have marge all wan to get redundant internet and wan connection is terminated on you firewall  with gateway and static routes.

But in SSL vpn you are first find the Public IP  then using credential you are login.

you can merge wan IP from out side to use that service . Per wan port theri is seperate SSL link need to be created .

may be foritOS 5.6 can help you in that thing .

 

best regards  

topetry

Hi. It's clear that we are talking about two different features but it seems that if you make use of WAN LLB you are not able to use SSLVPN Tunnelmode. For SSLVPN Tunnelmode you need to have a ssl.root-internal and an ssl.root-wan policy. The thing is that if you have bundled the WAN interfaces to a WAN LLB link you are not able to select one of this interfaces for the ssl.root-wan policy. They are not offered for selction. In theory it should be possible to use the WAN LLB feature for outgoing connections only and leave SSL VPN untouched but it isn't implemented this way. The tutorial for 5.6 looks the same. 

bmekler
New Contributor III

Exactly, and you can still use SSL VPN with WAN LLB - you can select the individual WAN interfaces in SSL VPN settings as available for incoming connections, and you can create ssl.root -> whatever interface policies just fine, so split tunnel mode works, except for ssl.root -> virtual-wan-link which denies you full tunneling.

Rafael_Rosseto

So it's not possible to use SSL VPN with WanLink to route some traffic to Internet via VPN, in version 5.4?

 

I was running version 5.2.10 and it works fine, then I upgrade to 5.4.5, now I'm not able to configure this anymore.

Rafael_Rosseto

Just to add some info, If I create a rule with dstinterface ANY, the traffic is routable to Internet, but use ANY is not acceptable to me.

Fullmoon

in fortios 5.6.x you have now the capability to create a rule from ssl.root-WAN LLB.

Fortigate Newbie

Fortigate Newbie
David_P28
New Contributor II

Thank you for your answer. I knew that my firmware was old, but it worked perfectly until now. So i will try to migrate my devices this week and give you the result.

Best regards,

Labels
Top Kudoed Authors