Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ali426
New Contributor

Remote access vpn - ssl tunnel mode vs ipsec tunnel

What is the difference between Remote-access ipsec vpn vs ssl vpn (tunnel mode). as i understand ssl provide layer7 security with web mode, and l3 security with tunnel mode.

11 REPLIES 11
ede_pfau
Esteemed Contributor III

You can use SSLVPN client-less, that is, from any browser, this is called web mode or portal mode. The portal only supports some protocols as proxy which might or might not meet your needs.

Then, you can install SSLVPN in tunnel mode which allows you to use any protocol. On the remote side you need the (free) FortiClient software for this.

SSLVPN has a much higher impact on the FGT's CPU as it cannot be offloaded onto a hardware acceleration chip. You find the recommended maximum SSL VPN users for each model in the Maxium Values table available on docs.fortinet.com.

 

IPsec on the other hand is typically used for site-to-site tunnels but is suitable for host-to-site settings as well. You will always need a software client for IPsec on the host which is this case could be again the FortiClient. All protocols are supported across the tunnel.

 

I personally prefer IPsec remote dialin as it scales far further than SSLVPN. Even the smalles desktop FGT can sustain dozens of IPsec tunnels without problems.

 

The only scenario where SSLVPN is superior is when the remote user is located in, for instance, a hotel. Some hotel Wifi/LANs do not permit non-standard ports (for no reason at all). IPsec at least needs UDP ports 500 and 4500 outbound to work. In this case, SSLVPN (using the HTTPS port 443) is the only way out. Luckily, you can configure both and let your users use SSLVPN as a fallback. You can even reuse the user group for both kinds of VPN.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
emnoc
Esteemed Contributor III

Okay two reasons, SSLVPN  is ideal when you don't want to offer a remot-client to various hosts OSes or you only  need a web-portal-only setup.

 

IPSEC is well support  and most devices has a native IPSEC client ( iphone android winOS MACOSX linux ) , so it's a open standard and does not require a sslvpn_unique_vendor client. or ipsec clients are freely available.

 

The problems you will encounter with both are access from remote networks outside of your domain

 

1: some might not allow  ipsec as what Ede point out( protocol 50 and IKE could be blocked )

2: some might have a local http/https  proxy which will break more SSLVPN tunnel-mode ( again  transparent or explicit proxies or even url categorization policies )

3:  IPSEC  dynamic-tunnels are more immune against MiTM , where  SSLVPN web-mode or even tunnel-mode could easily be  MiTM and unknown to the end-users

4: Since more individuals are trusting of the CA model and most SSLVPn deployments do not install a  CAtrusted Cert ( the SelfSign Fortinet cert for example ) , they would have no knowledge if they are MiTM or tampered by some unknown appliance  ( in regards to #4 )

 

 

You pick your options and go what you need.  SSLVPN will also be more process intensive than IPSEC imho. So if you had  50 ipsec-dynamic tunnels , vrs 50 sslvpn tunnels, that latter based on my experience  , will always consume more CPU/memory.

 

Things to considered

 

1: what end-points need remote access

2: do you need only portal like access

3: do you need to assign and tunnel traffic

4: does all of the end-points support sslvpn tunnel-mode and does a client exist ( OSes support )

5: Do you need any of the other security features of the Forticlient

6: do you need to enforce policy for the remote-client ( again the Forticlient does this or has that allowance )

7: do you need CAissues certs

8: do you need mutual client-side-cert

9: can you  use need MFA or hybrid-authentication

10: can you risk a MiTM device between vpn-gw and "remote client"

 

One is not always better than the other, so always research your needs , goals,  requirements ;)

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Toshi_Esumi
Esteemed Contributor III

A couple of things I want to comment in addition to Ede's and Ken's:

-Tunnel mode SSL vpn is available only with FortiClient starting from some point in the past for a vulnerable issue if I remember correctly.

-From user's aspect, only one IPsec vpn can be established from one source IP. You can't set two IPsecs up behind the same NAT, like two employees at the same hotel trying to setup a VPN from their laptops. Only one comes through. With SSL VPN, it doesn't matter.

Ali426

I see, in tunnel mode remote user real ip will be encapsulate with remote ip pool (we define in firewall). In web mode user real can not be encapsulate and we can see remote user actual ip in fortigate vpn monitoring .
emnoc
Esteemed Contributor III

You can't set two IPsecs up behind the same NAT, like two employees at the same hotel trying to setup a VPN from their laptops. Only one comes through

 

 

hmm.... With xAUth the peer.id is identified with in the IKE exchange. So I have to disagree. This is how multiple sources  behind a NAT  can established dynamic-vpns.

 

Each IKE  tunnel would be the same src ( different source.port ) and each client tunnel is unique due to the  IKE peer-id

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Toshi_Esumi
Esteemed Contributor III

Ok, I'll test it later.

Toshi_Esumi
Esteemed Contributor III

I was wrong. I set up a dialup vpn at FG50E via GUI (to avoid any bias) and I'm not connected from two PCs to it via the same NAT. I even used the same user account. Both are up and functioning.

 

My apologies.

Toshi_Esumi
Esteemed Contributor III

English problem: I'm connected from two PCs...

emnoc
Esteemed Contributor III

I was wrong. I set up a dialup vpn at FG50E via GUI (to avoid any bias) and I'm not connected from two PCs to it via the same NAT. I even used the same user account. Both are up and functioning.   My apologies

 

No worries, I just wanted to correct you. The IKE peers will always display this in the diag vpn ike gateway output iirc

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors