The SSL VPN feature (also known as WebVPN) provides support for remote user access to enterprise networks from anywhere on the Internet. Remote access is provided through a Secure Socket Layer- (SSL-) enabled SSL VPN gateway. The SSL VPN gateway allows remote users to establish a secure Virtual Private Network (VPN) tunnel using a web browser. This feature provides a comprehensive solution that allows easy access to a broad range of web resources and web-enabled applications using native HTTP over SSL (HTTPS) browser support.
Secure Sockets Layer is a protocol developed by Netscape for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data – a public key known to everyone and a private or secret key known only to the recipient of the message. SSL VPN delivers three modes of SSL VPN access:. Clientless: Clientless mode provides secure access to private web resources and will provide access to web content. This mode is useful for accessing most content that you would expect to access in a web browser, such as Internet access, databases, and online tools that employ a web interface. Thin Client (port-forwarding Java applet): Thin client mode extends the capability of the cryptographic functions of the web browser to enable remote access to TCP-based applications such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access protocol (IMAP), Telnet, and Secure Shell (SSH).
Tunnel Mode: Full tunnel client mode offers extensive application support through its dynamically downloaded Cisco AnyConnect VPN Client (next-generation SSL VPN Client) for SSL VPN. Full tunnel client mode delivers a lightweight, centrally configured and easy-to-support SSL VPN tunneling client that provides network layer access to virtually any application. There are few steps to set up an SSL VPN:. Configure a trust point. Create an account.
This lesson explains how to configure the Cisco ASA firewall to allow remote SSL VPN users to connect I’m only specifying the anyconnect client for Windows but if you want to support Linux or Mac OS X An external group policy could be on a RADIUS server. The VPN tunnel protocol is ssl-client. This chapter describes how to configure VPN connection profiles, group policies, and users. Profile” and “tunnel group” are often used interchangeably. CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.4. AnyConnect 3.1 supports true split DNS functionality for Windows and Mac OS X platforms.
Configure WebVPN. Test WebVPN Example In this example, there’s a VPN SSL server with tunnel mode and thin client functionality. The WebVPN service is listening to the address 1.
In this recipe, we will configure a site-to-site tunnel between a FortiGate 90D and a Cisco ASA 5505. Using 5.2 and Cisco ASDM 7.1, the example demonstrates how to configure the tunnel on each site, assuming that both devices are configured with appropriate internal (inside) and external (outside) interfaces. Note that this example uses the default encryption and authentication (SA proposal) settings of the Cisco ASDM IPsec VPN wizard. These are not necessarily the recommended settings. We will use the wizards to configure each end of the tunnel as it is much quicker. However, some customization will be required on the FortiGate to ensure that its SA proposal matches the Cisco ASA for each Phase. One of the most common reasons that tunnels between FortiGates and third-party products don’t work is because of mismatched settings.
1. Configuring the Cisco ASA using the IPsec VPN Wizard In the Cisco ASDM, under the Wizard menu, select IPsec VPN Wizard. Select Site-to-site, with VPN Tunnel set to outside, and click Next. In the Peer field, enter the IP address of the FortiGate unit. Under Authentication Method, enter a secure. You will use the same key when configuring the FortiGate. Configure Phase 1 with 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 2.
Configure Phase 2 with 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 1. Set the Local Networks and Remote Networks. Review the configuration before you click Finish. If prompted, Send the commands to the device.
The tunnel configuration on the Cisco ASA is complete. Next you must configure the FortiGate with identical settings, except for the remote and internal network. 2. Configuring the FortiGate using the IPsec VPN Wizard On the FortiGate, go to VPN IPsec Wizard. Enter a Name for the tunnel and select the Site to Site – Cisco template. Set Remote Gateway to the IP address of the outside interface on the Cisco ASA. The Outgoing Interface should automatically populate.
Enter the same Pre-shared Key used in the Cisco ASA configuration. Set Local Interface to the internal interface. The Local Subnets will automatically populate. Set Remote Subnets to the IP address range of the inside network on the Cisco ASA and click Create.
The IPsec VPN Wizard automatically creates the required objects, policies, and static routes required for the tunnel to function properly. Matching the encryption and authentication settings On the FortiGate, go to VPN IPsec Tunnels, and Edit the tunnel you just created. Select Convert to Custom Tunnel. Under Phase 1 Proposal, configure 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 2. Under Phase 2 Proposal Advanced, configure 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 1.
When you are certain that the tunnel settings match the Cisco ASA configuration, click OK. OPTION SETTING Phase 1 Encryption 3DES Phase 1 Authentication SHA1 Phase 1 DH Group 2 Phase 2 Encryption 3DES Phase 2 Authentication SHA1 Phase 2 DH Group 1 4. Results On the FortiGate, go to VPN Monitor IPsec Monitor. Right-click on the Site to Site – Cisco VPN and select Bring Up. From one of the internal networks, you should be able to successfully the other internal network. You will be able to see Incoming and Outgoing Data in the FortiGate IPsec Monitor. Go to Log & Report Event Log VPN to view the status of the tunnel negotiation.
Highlight an entry to view the status in greater detail. Troubleshooting For complete troubleshooting information, refer to.
Below are some troubleshooting tips. IPsec VPN troubleshooting tips Configuration problem Correction Mode settings do not match. Select complementary mode settings.
Peer ID or name of the remote peer or dialup client is not recognized by FortiGate VPN server. Check Phase 1 configuration. Depending on the Remote Gateway and Authentication Method settings, you have a choice of options to authenticate FortiGate dialup clients or VPN peers by ID or certificate name. If you are configuring authentication parameters for dialup clients, refer to the. Preshared keys do not match. Reenter the preshared key.
Phase 1 or Phase 2 key exchange proposals are mismatched. Make sure that both VPN peers have at least one set of proposals in common for each phase. Traversal settings are mismatched.