Skip to main content
ForgetItNet
ForgetItNet
Explorer II
November 29, 2022
Question

Using Fortinet 60F as SSL Client not dialling up

  • November 29, 2022
  • 3 replies
  • 3589 views

Hi all,

 

Someone kindly gave me a link to a guide to setup a 60F router as an SSL VPN client to connect to a 100F at our head office (we can't use IPSEC on this location)

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/508779/fortigate-as-ssl-vpn-client

I've followed the guide and gone through it many times but it's not working.

On the Head Office 100F (the server) I can see VPN logs for "SSL exit error" that come from the IP address of the 60F (the client) so I know it's doing something but that's all that is in there. From what I gather this is a test to make sure the client can see and communicate with the server and it then "should" dial up and connect but that's all I'm getting from the logs on the server router.

On the client (60F) all I'm getting is "Link Monitor: Interface SSL Interface was turned down"

If i enable debug on the client then it displays nothing but on the server i get:

SSL State: fatal certificate unknown (ip of the client)

SSL state:error:(null) (ip of the client)

SSL_accept failed, 1:sslv3 alert certificate unknown

I exported the cert and private key from the server and imported it onto the client and selected that in the SSL settings but is that right ?

Thanks in advance.

3 replies

Anthony_E
Staff
Anthony_E
Staff
December 2, 2022

Hello,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Regards,

Best Regards
Markus_M
Staff & Editor
Markus_M
Staff & Editor
December 2, 2022

Hi ForgetItNet,

 

This is very likely an SSL/TLS error. To be sure, that is an encrypted tunnel that has to be established prior sending any data through it (like authentication etc. and whatever follows).

TLS can be established with different criterion, but one node receives a certificate from the other node and has to verify it.

More information here:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-TLS-and-the-use-of-Digital-Certificates/ta-p/214958

The FortiGate is sending a server certificate to the client and the client has to have the signing certificate  to verify the server certificate. If the certificate chain is longer, all the public keys are to be presented.

 

Special note:

The private key NEVER has to be imported anywhere but the identifying node (webserver).

 

If the client is sending a certificate to the FortiGate for the configuration was set up that way, the same goes, the FortiGate has to verify what the client sends with the certificate that issued the client certificate.

valid chain:

client/server cert > Intermediate CA > Root CA

Example cases:

- client/server sends the cert, the other node needs to have the intermediate and root CA cert (public key only required).

- client/server sends the cert and intermediate, the other node needs to have the root CA cert (public key only required).

- client/server sends the cert, intermediate and root, the other node needs to have the root CA cert (public key only required).

 

If the client sends a cert AND the server sends its cert, likewise server AND client both need to verify what the other node sends.

 

Best regards,

 

Markus

ForgetItNet
ForgetItNetAuthor
Explorer II
December 2, 2022

Thanks Markus, I've managed to resolve this by creating a new PKI user and setting the CA on both sides and this has worked so all good. The only thing I'm having trouble with now is that the client side can see and browse the server side network fine but I can't ping or connect to the client side router from the server router ? I'm "assuming" I should be able to do this as I can ping laptops that connect to the SSL VPN using the software program but just not when the SSL VPN is established through the router ? Ping is enabled on all the interfaces on the client router and I've added firewall rules to allow everything ? This is not a major issue as such but we'd like to be able to manage these routers through the SSL VPN the same way we do the one's going through the IPSEC vpns ?

    Sam333
    Sam333
    Explorer
    August 10, 2023

    Hi ForgetItNet,

    you are having the same problem I am having now please help me how did you solve this problem? which pki certificate did you use. can you help me how to do it?
    thank you in advance

    Terms & ConditionsAccessibility statement