Skip to main content
thePunk
thePunk
New Member
July 29, 2021
Question

SSL VPN not found on VDOM(no root) NPU

  • July 29, 2021
  • 1 reply
  • 3359 views

Hello!

I manage a VDOM(not root) HW accelerated with NP6XLite on Fortigate 100F(FortiOS 6.2.9).

I create a VPN as indicated in the cookbook titled "SSL VPN split tunnel for remote user" (https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/307303/ssl-vpn-split-tunnel-for-remote-user).

Instead of wan as Listen on Interface(s) i put the accelerated processor interface NPU_vlink1 (ip 172.10.12.2);

and in Listen on port I set 20443.

A tip box inform me that "Web mode access will be listening at [link]https://172.10.12.2:20443[/link]".

But 172.10.12.2:20443 is a port on the internal interface of my NPU_vlink1

So I can not reatch it from the extern of the firewall(internet)

If I nmap it

nmap -p 20443 195.67.64.22

i see

port         state  

20443/tcp    filtered

 

What I need to do to expose my vpn server on the internet?

Do you have some tips?

Thank You!

P.

 

 

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    July 29, 2021

    If you want to terminate access at an vdom, regardless if it's for VPN or any other service, you need to have either a routable public IP on an interface (vdom-link in your case) in the vdom or a VIP (20443) forwarded from a public IP facing the internet to the interface (vdom-link). 

    thePunk
    thePunkAuthor
    New Member
    July 30, 2021
    Hello Mr. Esumi,

    thank you for your answer!

     

    This procedure work if I want to terminate a classical service like ssh or http

    For example I do a port forwarding from my VDOM(not root) interface (NPU_vlink1 ; 172.10.12.2:22222) to my local interface (internal_interface; 192.168.130.2:22)

    so

    all If i want to connect from internet 

    ssh -p 22222 user@195.67.64.22

    the port forwarding connect me to port 22 of my internal host 192.168.130.2

    I think the scheme is

                      wan                    -    NPU_vlink0------NPU_vlink1     -      internal_interface

    ssh -p 22222 user@195.67.64.22   ->       172.10.12.2:22222           ->      192.168.130.2:22

     

    So I tried it for SSL VPN.

    I do a port forwarding from my VDOM(not root) interface (NPU_vlink1;172.10.12.2:20443 to my local interface (internal_interface; 192.168.130.2:22), 

                      wan                    -    NPU_vlink0------NPU_vlink1     -      internal_interface

    195.67.64.22:20443               ->       172.10.12.2:20443          ->     192.168.130.1:20443

    But this procedure do not work

    nmap (nmap -p 20443 195.67.64.22) say me port         state   20443/tcp    filtered

     

    Do you have other tips?

    Thank you!

    P.

     

    PS:  

    VDOM(root)     ----   VDOM(not root)

              |                                          |

     NPU_vlink0 ------  NPU_vlink1

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    July 30, 2021

    Why do you want to terminate the SSL VPN at the internal interface of your vdom? That might not work if it's not coming from the outside (LAN side) of the interface. At least it would require a policy to come through the vdom to reach the interface.

    It's supposed to be VIPed to your npu_vlink1 side from the external interface:172.10.12.2. Then the VDOM can terminate the VPN there.

    Terms & ConditionsAccessibility statement