Configure SSL-VPN on FortiGate 60

[Axton]

Hello Everybody,

I would like to know that how do i configure SSL-VPN on my FortiGate 60. I would like to create a username for my we browser. Can any body provide me the correct logical steps for doing it? Would be grateful to you if any body helps me out to resolve the above issue.

Thanks.

[Jackson2]

The Fortigate can be used to create an encrypted tunnel between hosts. CRYPTO-MAS works in conjunction with the Fortigate to replace static passwords with strong two-factor authentication that prevents the use of lost, stolen, shared, or easily guessed passwords when establishing a connection to gain access to protected resources. With CRYPTO-MAS acting as the authentication server for a VPN enabled resource, an authenticated connection sequence would be as follows:
1. The administrator configures the Fortinet Fortigate 60 to use RADIUS Authentication.
2. The incoming RADIUS authentication request is relayed over to the CRYPTO-MAS Server.
3. The CRYPTO-MAS Server examines the incoming packet. If the user exists, it then checks the token associated with the user for the expected PIN + One-time password.
4. Once the PIN + One-time password is verified against the user’s token and it is valid, it will then send an access accepted.
If the user does not exist, or the PIN + One-time password is incorrect it will send the user an access reject message.

[johnson22]

Here's a best practice or simple configuration on setting this up:

set zone name VPN
set int tun.1 zone VPN
set int tun.1 ip unnumbered interface <untrust port; ie...eth1>
<bind vpn to tunnel.1 here and setup proxy-id>
set pol from trust to vpn any any any per log
set pol from vpn to trust any any any per log

Now, if the tunnel doesn't come up , stay up, even after triple checking the proxy-id matches the Fortinet, then move it to a policy based tunnel from untrust to trust with a matching policy.