New Member

Question

Remote access with FortiClient issue and site to site working.

Forum|Forum|6 years ago
January 1, 2020
3 replies
18418 views

Hello Guys,

I'm new on the forum. I read a lot of your post but I cannot solve my issue.

To explain as clear as possible my point, first my configuration is as shown on the picture below.

Network1.jpg [/ol]

As you can see, I got 2 sites, one in France and one in China.

My site to site VPN is working well. But when it come to create a remote access either by SSL VPN or by IPSec VPN with FortiClient, I failed on both sites.

Both of the FortiGate are FG50E and have similar configuration on 5.6 firmware. In France I got a fixe IP which might be easier to set up, While in China I got a dynamic IP and use a DDNS to create my site to site VPN.

I use a LDAP server to log in which I configure on both FortiGate. It’s seam to work. But being enable to create a remote VPN I also try to use a local user, which also fail.

I try several configurations of the remote IPSec VPN from cookbook, tutorial from youtube and older post on the forum. But still no chances.

With all articles I read, I guess I got more than one issue.

[ul]

Both of the FortiGate are behind an ISP box, which might bring some port forwarding issue and other.

Concerning the French side, I have access to the configuration of the ISP box. but In China, I don't have any access. And as I prefer to have symmetric configuration to not get lost during maintenance, I prefer to avoid to change the ISP box configuration (bridge mode).

As I already have a site to site VPN on, it might come an issue in the IKE phase for IPSec VPN, which I try to solved by using the aggressive mode of the IKE version 1 with a specific peer ID. It works for the site to site VPN but for the remote VPN with FortiClient 6.0.8.0261 sill no way.

Concerning the SSL VPN I stuck completely, I guess it’s mainly due to the ISP box as my portal appear to be listening on the intermediate network 192.168.1.2

[/ul]

I would appreciate any tips that I might try to set up my remote VPN

Network1.jpg

5.6

Alex_cnAuthor

New Member

I didn't get any answer yet. But so far I'm reading the FortiOS handbook 3596 pages lol.

And I'm looking especially on the Hub-and-spoke configuration.

I'll let you update on my progress

Alex_cnAuthor

New Member

Hello guys, I just want to let you up to date.

I spend the all day on my topic yesterday and now I'm able to connect to my French site by SSL VPN. Unfortunately, I'm still not able to do it by IPsec VPN and I didn't managed to connect to my Chinese site at all.

I made several changes and tries. Below are the working settings of the SSL VPN.

LDAP server:

[ol]

Server IP: 200.200.200.10

Server port: 389

Common name identifier: samaccountname

Distinguished name: ou=xxx,dc=xxx

Bind type: Regular

User name: CN=xxx,CN=Users,DC=xxx,DC=local

Password: xxxx[/ol]

Test the connectivity and it works well.

Users:

[ol]

User definition: Remote LDAP users imported from the LDAP server.

User group: type firewall with the necessary members[/ol]

I defined it so because I read somewhere that FortiGate as difficulty with LDAP group which include sub group only and not directly the member.

Addresses:

[ol]

I defined a new IP range of addresses for the SSL VPN with the SSL interface on it.

I also defined a subnet for the SSL VPN with the SSL interface and static route configuration.[/ol]

Port:

[ol]

First put the admin https port to 10443 in system setting.[/ol]

SSL Portal

[ol]

I deleted all portal and created new ones:

For tunnel_access[ol]

Limit User to one SSL-VPN connection at a time: enable

Tunnel mode: enable

Enable split tunneling: disable

Source IP pools: The range crated before.

Allow client to save password: enable

Allow client to connect automatically: enable

Allow client to keep connection alive: enable

Enable web mode: disable

Enable FortiClient download: enable

Customize download location: disable[/ol][/ol]

SSL settings:

[ol]

Listen on interface: Wan

Port: 443 (my web mode is listening at https://192.168.1.1 which is not my public IP)

Redirect HTTP to SSL-VPN: disable

Restrict access: Allow access from any host

Idle Logout: enable / inactive for 3600 Seconds (default was 300 but my connection was droping down and after this change everything works well)

Server certificate: Fortinet_Factory

Require Client Certificate: disable

Address Range: Specify custom IP range: The range crated before.

DNS Server: specify: 200.200.200.10 and 100.100.100.10 (those are my 2 internal DNS server on each site. The sites are connected with a gateway to gateway tunnel. I specify DNS because the FortiGate DNS server is set to fortiguard server, as I use DDNS for the gateway to gateway VPN)

Specify WINS servers: disable

Allow endpoint Registration: disable

Authentication/ Portal mapping: SSL users – tunnel_access and all other user - web_access[/ol]

IPV4 Policy:

[ol]

SSL Client to internet[ol]

Incoming interface: SSL VPN tunnel

Outgoing interface: Wan

Source: address all / group: SSL users

Destination: all

Schedule: always

Services: All

Action: accept

Nat: enable

IP pool configuration: Use outgoing interface address

Security profiles: all disable (I plan to set up my security profile after everything is working well. It will be easier to troubleshot as the security profile can block some access)

Enable this policy: enable[/ol]

SSL Client to Lan[ol]

Incoming interface: SSL VPN tunnel

Outgoing interface: lan

Source: address all / group: SSL users

Destination: FR_local

Schedule: always

Services: All

Action: accept

Nat: enable

IP pool configuration: Use outgoing interface address

Security profiles: all disable (I plan to set up my security profile after everything is working well. It will be easier to troubleshot as the security profile can block some access)

Enable this policy: enable[/ol][/ol]

Static routes:

[ol]

Destination: named address: the subnet created before (with static route)

Gateway: 0.0.0.0

Interface: SSL VPN tunnel

Administrative distance: 10 (default value)

Status: enable

Priority: 1 (my gateway to gateway static route have priority 0)[/ol]

Result with FortiClient 6.0.8.0261, I can connect to my French site. I’m actually in China so the result is pretty slow, but it works.

Next step is to duplicate those setting to the Chinese site, the difference would be the DDNS setting in FortiClient. After couple of minutes to set everything the result is still not able to connect. So, I checked if other settings were different between both FortiGate. And I found few of it.

I figured out in the address object that the French FortiGate has 2 additional address compare to the Chinese one.

Name: Auth.gfx.ms – type: FQDN – details: auth.gfx.ms – ref: 1 to deep-inspection

Name: softwareupdate.vmware.com- type: FQDN – Details: softwareupdate.vmware.com - ref: 1 to deep-inspection

These 2 addresses are also listed in the Wildcard FQDN and refer to deep-inspection SSL. It took me a while to remember that when I was setting up my site to site VPN I called the support and we made those changes with the CLI console.

Unfortunately, I’m not able to do it again to the other FortiGate. I’ll try to figure it out.

But so far, I can say that I’m not able to connect to my Chinese site by SSL due to one of this 3 things:

The Chinese site is behind the China telecom box and the box doesn’t allow the access.

The Chinese site as dynamic IP and FortiClient doesn’t resolve the FQDN IP

The deep inspection isn’t working on the Chinese site.

Concerning the IPsec VPN none of them are working. I read somewhere that’s due to the great Chinese firewall and that only SSL will work. That’s the reason I focus on the SSL access. But I assume that’s not really true, due to the fact that I have one site to site IPsec VPN working well.

See you later for further update.

Alex_cnAuthor

New Member

Some more update Today,

So today I play around with the FQDN difference between my Chinese FTG and my French one.

So, as the 2 FQDN was linked to the deep inspection profile which I cannot change in the 5.6 firmware, I decided to downgrade to 5.4.13 both FortiGate.

After play around a bit, I figured out that if the address auth.gfx.ms is in a wildcard address then I cannot bring up my site to site VPN. But if the address is in a normal FQDN then it’s working. So, I set on both FortiGate the auth.gfx.ms and the softwareupdate.vmware.com addresses as FQDN and then link again to the deep inspection profile.

With those change my site to site VPN is working and I can connect to the French site with SSL VPN. But still nothing possible on the Chinese site.

Then, as I was playing with firmware, I decided to update both FortiGate to the last release 6.2.3. and play around a bit more but still nothing possible. Several changes in the GUI on 6.2.3 and the address auth.gfx.ms simply disappear of the address list.

I have no idea what is that but I won’t care much any longer. Now I’ll focus on checking the ISP box (which are router) settings. In France I have no problem to change thing as I get the access but in China no access to the box management. I’ll contact the ISP tomorrow.

Alex_cnAuthor

New Member

I didn't get any answer yet. But so far I'm reading the FortiOS handbook 3596 pages lol.

And I'm looking especially on the Hub-and-spoke configuration.

I'll let you update on my progress

Alex_cnAuthor

New Member

I didn't get any answer yet. But so far I'm reading the FortiOS handbook 3596 pages lol.

And I'm looking especially on the Hub-and-spoke configuration.

I'll let you update on my progress

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded