Skip to main content
IrbkOrrum
IrbkOrrum
Explorer III
November 14, 2024
Question

SSLVPN on VDOM

  • November 14, 2024
  • 3 replies
  • 6632 views

I pressured my FortiNet rep into giving me a more fully functional trial license with some VDOMs so I could figure out how to configure VDOMs.  I've got the basic stuff configured.  I've figured out how to make the connections between the Root and the 2 VDOMs under the root.  I've figured out how to create a VIP from the root to 1 of the VDOMs for web hosing.  Now I'm trying to figure out SSLVPN.  One of my VDOMs will run SSLVPN (let's say VDOM-B).  I've followed the directions here https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-access-to-multiple-VDOMs/ta-p/223709 to tell that VDOM it's going to run on port 6443 as well as created all the rules shown in the link.  

This is all being done within EVE-NG, it's a purely secluded network, no real traffic gets in or out. 

On a system that I'm trying to 'vpn' with into FortiGate, If I try to browse to https://40.64.58.147:6443 (purely made up IP one of the great things about EVE-NG is the ability to use 'real' IPs) and I have a sniffer running, I see the traffic coming in on both the Root and VDOM-B.  However, I'm not seeing any traffic going back out and I never get a login page. 

When I check the SSL-VPN settings of VDOM-B, there is a message saying "the legacy SSL-VPN web mode feature is disabled globally.  Web mode will not be accessible in portals" so I figure 'ok, not really a site here I'll try to connect with a VPN client'.  So I get a client within EVE-NG loaded up with the FortiClient VPN ( 7.4.1.1736 if it makes any difference) and then I configured the VPN settings.  I tell it the remote gateway is 40.64.58.147, I check customize port and put in 6443.  I tell the FortiClient VPN to connect and it flashes for a second and then nothing.  I don't even think it's trying to connect.  The FortiClient logs are useless, even on debug.  They just say 'client disconnected'.  When I have a debug running on root, I don't even see a connection attempt that's being made to the FortiGate, so I think the FortiClient VPN isn't even trying to connect. 

Any ideas?  

3 replies

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
November 14, 2024

Hi @IrbkOrrum ,

 

1) By default, FGT has 10 VDOMs for you to use.

2) Info is not clear:  

 

When FortiClient connects to that 40.64.58.147 IP, where is it?  Is it in VDOM-B?  Will the traffic flow pass through the root VDOM?

 

3)  Please capture debug outputs with the following in VDOM-B if 40.64.58.147 IP is in it:

 

diag debug application sslvpn -1

di de enable

 

Then please replicate the issue to get some outputs.

 

4) Then please run the following commands again to get more debug outputs:

 

diag debug application sslvpn 0

diag debug disable

diag debug flow show iprope enable

diag debug flow filter port 6443

diag debug flow trace start 1000

diag debug enable

 

Then please replicate this issue to get the outputs.

IrbkOrrum
IrbkOrrumAuthor
Explorer III
November 14, 2024

1) No, in the perpetual trial license you only get 2 vdoms, 1 traffic vdom and 1 management vdom.  In the more fully functional 2 month license fortinet gave me, there still was only 2 vdoms.  They had to give me a license for 5 VDOMs before I was able to start configuring anything.

 

2) "Root" vdom is where all 'physical' interfaces are plugged in.  All traffic must run through the Root VDOM.

 

3) As it is EVE-NG, I cannot copy and paste.  One of the downfalls of Eve-NG is the inability to copy/paste into our out of.  I can supply screenshots but I can save you the trouble.  There is nothing shown when the FortiClient attempts to connect.  I'm fairly sure that FortiClient isn't even making the connection.  I'm not sure if perhaps FortiClient needs to "phone home" to fortinet before it will make any kind of connection attempt and he has no 'real' internet access so he can not do any kind of 'phone home'.

 

 

IrbkOrrum
IrbkOrrumAuthor
Explorer III
November 14, 2024

Ok, well true to fortinet fashion, it seems the https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-access-to-multiple-VDOMs/ta-p/223709 sort of left out the part about creating the firewall rule on the VDOM-B as well, they just told you to create the firewall rule on the Root.  So I'm at least able to hit a webpage now (after I set 'sslvpn-web-mode enabled' under the global VDOM). But the forticlient still doesn't look like it even tries to connect.

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
November 14, 2024

In the KB article, in the "Setup SSL-VPN on each internal VDOM" section, it is said:

Create the SSL-VPN policy accordingly.

 

If it still does not connect, please run the commands and steps I provided.

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
November 14, 2024

Or at least please attach the FGT config

vbandha
Staff
vbandha
Staff
November 15, 2024

Hello @IrbkOrrum 

Regarding your query, you should be able to open the SSL VPN login page through browser even if web mode is disabled. 

That would be a good tool to use for testing. 

 

Can you show the sniffer output you were seeing in both vdoms so we know the flow you are seeing. 

 

The ssl debug you posted was showing an error code. Perhaps it is matching this:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-When-logging-in-with-SSL-VPN-the-error/ta-p/260630

"SSL routines::unexpected eof while reading"

 

Also check the route for return traffic, if the internal VDOM has a route created to send traffic back.

You would need a default route to point to intervdom link.

 

One other test you could use is to try pinging the interface where you are trying to setup SSL VPN. Make sure you enable Ping in  Administrative Access:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Allow-ping-from-a-specific-IP-for-administrative/ta-p/198040

If the ping works then it might be some issue in VPN, if ping is failing then it maybe network connectivity issue. 

 

Regards, 

Varun

IrbkOrrum
IrbkOrrumAuthor
Explorer III
November 15, 2024

Honestly, I've given up on the SSLVPN.  I'm not sure if the issue is because of certificates (which I really can't do anything about) or what.  So I've reset my lab to factory default and I'm now attempting via Remote access with IPSec VPN.  This I've gotten to work when I'm not trying to pass just 1 particular port.  I've just allowed all the traffic in and the IPSec VPN is working.  The thing that I need to test next is if I can have multiple people be able to use the IPSec VPN at the same time. 

Terms & ConditionsCookie settingsAccessibility statement