Skip to main content
VernalCityIT
VernalCityIT
New Member
January 6, 2025
Solved

SSL-VPN not allowing IPv6 connections after setting to "Limit access to specific hosts"

  • January 6, 2025
  • 1 reply
  • 3450 views

I am attempting to limit access to our SSL-VPN to only specific IP addresses.  It works great for IPv4, but any clients on AT&T mobile internet don't work because they receive an IPv6 public IP address. 

 

Firewallsetting.jpg

 

I tried adding the public IPv6 addresses to the allowed hosts but it still will not allow the connection it just says "Unable to establish the VPN connection.  The VPN server my be unreachable"

 

For troubleshooting I added the "all" IPv6 addresses object to the allowed addresses group but it still will not allow a connection.  

 

I can't find in the logs were these blocked connections would be so that I can troubleshoot the issue.

 

My questions are:

Is there something else I need to do in the settings on the FortiGate-101F to allow these IPv6 connections?

Where would I find the logs of connections blocked by the "Limit access to specific hosts" setting?

Best answer by Dhruvin_patel

Greetings! 

 

This is case once the user get connected with IPv6, can you share the output of 

 get vpn ssl monitor

 

The interface shouldn't accept the connection if no IPv6 address is assigned to the listening interface configured in SSL VPN settings. 

 

 

 

1 reply

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
January 6, 2025

Hi @VernalCityIT ,

 

What interface on your FGT is listening SSL VPN connection? Do you have an IPv6 IP assigned to this interface?

VernalCityIT
VernalCityITAuthor
New Member
January 6, 2025

It's a standard ethernet 1GBs IPv4 connection to our local ISP.  Our local ISP does not offer IPv6 addresses as far as I know.  But I would not think that would be an issue as It worked fine before I started restricting the addresses.

 

But, I could reach out to the ISP and see if they can give us an IPv6 address, if you think that would help.

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
January 6, 2025

Hi @VernalCityIT ,

 

Do you mean, that when there was no restricted address configured, the IPv6 end-user was able to connect to SSL VPN?

 

I don't think so.  If there is no IPv6 IP assigned to the interface listening to the SSL VPN connection, the interface will not accept the IPv6 SSL VPN connection.

Terms & ConditionsAccessibility statement