Different SSL VPN Methods on Different VDOMs
- February 23, 2016
- 1 reply
- 3384 views
Ahoy,
We are trialling out a multi-vdom approach to SSL VPN portals to allow us to have different host checking depending on the type of access required. I have setup a 100D with:
root vdom: all physical interfaces and normal operations (IPSec VPN, LAN access etc.) Tunnel vdom: ssl vpn setup for tunnel mode only with strict host checker Web vdom: ssl vpn for web access only low level host check (if any)
there are vdom links connecting root to tunnel and root to web.
web is working ok except with an issue with SSO for intranet URLs, and also on the version we're running (5.2.3) I can't limit the type of bookmarks people can create (i.e. only want them to have HTTP, HTTPS and RDP [not RDP Native]) as the config option is missing....
Tunnel is proving tricky. i have it mostly cracked now except for one slight snag - no traffic is flowing over it. Attached is a lovely MS Paint diagram of the config and setup with some rules (out of paranoia I have blanked out some stuff and changed our WAN IP).
i get this when i flow trace a connected ssl vpn tunnel client (10.220.16.10):
id=20085 trace_id=387 func=print_pkt_detail line=4378 msg="vd-Tunnel received a packet(proto=17, 172.16.11.11:53->10.220.16.10:49315) from RT1. " id=20085 trace_id=385 func=init_ip_session_common line=4527 msg="allocate a new session-00002cf3" id=20085 trace_id=387 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-00002cf2, reply direction" id=20085 trace_id=387 func=udp_rcv line=980 msg="No socket found. Drop."
172.16.11.11 is a DNS server.
Any thoughts?