Skip to main content
ap6666
ap6666
New Member
October 4, 2022
Question

SSL VPN failed on the new KVM version in EVE-NG

  • October 4, 2022
  • 2 replies
  • 2306 views

Hey there,

 

I've just started playing around fortigate on eve-ng platform. I set up a basic SSL VPN configuration, but when I connected forticlient, it said The VPN Server may be unreachable (-5) and stuck at connecting status: 40%. The debug on firewall comes as below: (192.168.0.34 is the source IP of vpn client). 

Is it a configuration issue or I need any license to use this firewall? 

The firmware is v7.2 

 

FortiGate-VM64-KVM # [300:root:8]allocSSLConn:303 sconn 0x7f491c61d300 (0:root)
 [300:root:8]SSL state:before SSL initialization (192.168.0.34)
 [300:root:8]SSL state:before SSL initialization:DH lib(192.168.0.34)
 [300:root:8]SSL_accept failed, 5:(null)
 [300:root:8]Destroy sconn 0x7f491c61d300, connSize=0. (root)
 [300:root:9]allocSSLConn:303 sconn 0x7f491c61d300 (0:root)
 [300:root:9]SSL state:before SSL initialization (192.168.0.34)
 [300:root:9]SSL state:before SSL initialization (192.168.0.34)
 [300:root:9]no SNI received
 [300:root:9]client cert requirement: no
 [300:root:9]SSL state:SSLv3/TLS read client hello (192.168.0.34)
 [300:root:9]SSL state:SSLv3/TLS write server hello (192.168.0.34)
 [300:root:9]SSL state:SSLv3/TLS write certificate (192.168.0.34)
 [300:root:9]SSL state:SSLv3/TLS write key exchange (192.168.0.34)
 [300:root:9]SSL state:SSLv3/TLS write server done (192.168.0.34)
 [300:root:9]SSL state:SSLv3/TLS write server done:system lib(192.168.0.34)
 [300:root:a]allocSSLConn:303 sconn 0x7f491c61e700 (0:root)
 [300:root:9]SSL state:SSLv3/TLS write server done:DH lib(192.168.0.34)
 [300:root:9]SSL_accept failed, 5:(null)
 [300:root:9]Destroy sconn 0x7f491c61d300, connSize=1. (root)
 [300:root:a]SSL state:before SSL initialization (192.168.0.34)
 [300:root:a]SSL state:before SSL initialization (192.168.0.34)
 [300:root:a]no SNI received
 [300:root:a]client cert requirement: no
 [300:root:a]SSL state:SSLv3/TLS read client hello (192.168.0.34)
 [300:root:a]SSL state:SSLv3/TLS write server hello (192.168.0.34)
 [300:root:a]SSL state:SSLv3/TLS write certificate (192.168.0.34)
 [300:root:a]SSL state:SSLv3/TLS write key exchange (192.168.0.34)
 [300:root:a]SSL state:SSLv3/TLS write server done (192.168.0.34)
 [300:root:a]SSL state:SSLv3/TLS write server done:DH lib(192.168.0.34)
 [300:root:a]SSL_accept failed, 5:(null)
 [300:root:a]Destroy sconn 0x7f491c61e700, connSize=0. (root)
 dia deb disa
  
 FortiGate-VM64-KVM #

2 replies

AEK
SuperUser
AEK
SuperUser
October 5, 2022

Basically you can do much much tings with FGT physical appliance without license, however you can do almost nothing with FGT VM without license.

 

AEK
Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
October 5, 2022

hey ap6666,

A (maybe a bit stupid) question - I assume your FortiGate is using the default server certificate for SSLVPN?

Is it possible that at 40% you're getting a pop-up in FortiClient (this might only be in the background - check in your task bar if there's a second FortiClient tab) prompting you to trust the FortiGate's certificate?

I frequently have that issue when setting up new labs with SSLVPN, and FortiClient gets stuck at 40%, I need to manually click on FortiClient in the task bar to bring up the certificate warning and accept it.

ap6666
ap6666Author
New Member
October 5, 2022

thank you all, 

it is a license issue. 

Terms & ConditionsAccessibility statement