SSL VPN Unreachable

Forum|Forum|10 years ago
December 10, 2015
1 reply
7941 views

I thought I followed all instructions to the letter, but my SSLVPN-portal is not available for the outside world.

If I add the internal port to the interface-list, I can reach the portal-pages from inside the network and I'm able to log on as I should, so everything there is working.

When I try to connect from the outside world, I get an 'unreachable'. Debugging the flow on the CLI, I notice that the packet is hitting rule 0 and is therefor blocked.

My config is as follows:

config firewall policy
  edit 14
    set srcintf "ssl.root"
     set dstintf "switch"
     set srcaddr "SSLVPN_TUNNEL_ADDR1"
     set dstaddr "Local LAN"
     set action accept
     set schedule "always"
     set service "ALL"
     set groups "SSL_VPN_USERS"
     set nat enable
  next
end
 
config firewall policy
  edit 15
     set srcintf "ssl.root"
     set dstintf "wan1"
     set srcaddr "SSLVPN_TUNNEL_ADDR1"
     set dstaddr "all"
     set action accept
     set schedule "always"
     set service "ALL"
     set groups "SSL_VPN_USERS"
     set nat enable
  next
end

Other rules include forwarding of HTTP, HTTPS, SSH to two servers.

I am using a FortiGate 110C with OS version 5.2.5

Any suggestions?

Thanks in advance,

Dennis

anil_nayak_FTNT

Staff

Hello,

As i see the issue is SSL-VPN portal page shows error 'Server Unreachable' from WAN and works fine from LAN.

Device is on v5.2

Please check if you have added the WAN interface in the authentication policy, option in CLI

config vpn ssl setting

shows full-config

<---------------check for authentication-rule, interface, should included WAN

The firewall policy that you have posted above will be required for sslvpn subnet access

Regards

Anil

arkroitAuthor

New Member

Below the results from the 'show full-config'

    config vpn ssl settings
    set reqclientcert disable
    set sslv2 disable
    set sslv3 enable
    set tlsv1-0 enable
    set tlsv1-1 enable
    set tlsv1-2 enable
    set ssl-big-buffer disable
    set ssl-insert-empty-fragment enable
    set ssl-client-renegotiation disable
    set force-two-factor-auth disable
    set servercert "STAR_arkro-it_nl"
    set algorithm default
    set idle-timeout 300
    set auth-timeout 28800
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set dns-suffix ''
    set dns-server1 0.0.0.0
    set dns-server2 0.0.0.0
    set wins-server1 0.0.0.0
    set wins-server2 0.0.0.0
    set ipv6-dns-server1 ::
    set ipv6-dns-server2 ::
    set ipv6-wins-server1 ::
    set ipv6-wins-server2 ::
    set route-source-interface disable
    set url-obscuration disable
    set http-compression disable
    set http-only-cookie enable
    set port 10443
    set port-precedence enable
    set auto-tunnel-static-route enable
    set source-interface "wan1"
    set source-address "all"
    set source-address-negate disable
    set source-address6 "all"
    set source-address6-negate disable
    set default-portal "web-access"
        config authentication-rule
            edit 1
                set groups "SSL_VPN_USERS"
                set portal "full-access"
                set realm ''
                set client-cert disable
                set cipher any
                set auth any
            next
        end
    end

The odd thing that strikes me is that the traffic is blocked by the default rule. If I add the local lan to the ports to listen to (so I get the message that it listens to 192.168.1.99:10443 *and* <externalip>:10443), I can connect from the inside. So basicly everything seems to be working.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded