Skip to main content
TheUsD
TheUsD
Visitor III
September 18, 2020
Question

VM SSL Issue

  • September 18, 2020
  • 1 reply
  • 9256 views

I am using the Fortigate VM, 6.4.2 evaluation for practice (SSL-VPN is said to be supported with the evaluation license) but the fortigate is not accepting it's own generic cert. I am getting the following errors and not sure why Note: "xxx.xxx.xxx" is the remote Public IP address of the device that is using the FortiClient VPN that is attempting to SSL-VPN in. I have attempted the following: 1) override the MTU to 1500 (there were posts saying even though default is 1500, they had to do this) 2) set ssl-max-proto-ver tls1-0, -1, -2 and -3 3) I have read people changing the algorithm to medium but those were running earlier versions using the following command:  conf ssl settings set algorithm medium   [9165:root:c6]allocSSLConn:298 sconn 0x7ffa57e17a00 (0:root) [9165:root:c6]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [9165:root:c6]SSL state:before SSL initialization:DH lib(xxx.xxx.xxx.xxx) [9165:root:c6]SSL_accept failed, 5:(null) [9165:root:c6]Destroy sconn 0x7ffa57e17a00, connSize=0. (root) [9165:root:c7]allocSSLConn:298 sconn 0x7ffa57e17a00 (0:root) [9165:root:c7]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:before SSL initialization (xxx.xxx.xxx.xxx) [9165:root:c7]client cert requirement: no [9165:root:c7]SSL state:SSLv3/TLS read client hello (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write server hello (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write certificate (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write key exchange (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write server done (xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write server done:system lib(xxx.xxx.xxx.xxx) [9165:root:c7]SSL state:SSLv3/TLS write server done:DH lib(xxx.xxx.xxx.xxx) [9165:root:c7]SSL_accept failed, 5:(null) [9165:root:c7]Destroy sconn 0x7ffa57e17a00, connSize=0. (root) Thanks in advance!

    1 reply

    boneyard
    boneyard
    Valued Contributor
    September 19, 2020

    in general SSL is almost not or even not supported on the 14 day evaluation license.

     

    when i spin one up i against best practice just enable HTTP for management. trying to get HTTPS working is near impossible, if at all it uses a silly low setting which no browser will accept.

     

    SSLVPN requires HTTPS, so it might be there config wise but i expect you wont get it to work if you can't switch to HTTP instead, which seems not possible.

    TheUsD
    TheUsDAuthor
    Visitor III
    September 19, 2020

    Boneyard, While I agree with you that the HTTPS management is not included, documentation from FG does not mention anything with the SSL-VPN. The expectations were laid out pretty clear in their documentation located on their site: "

    The FortiGate-VM includes a limited, 15-day evaluation license that supports:

    [ul]1 CPU maximum1024 MB memory maximumLow encryption only (no HTTPS administrative access)      <----This is just GUI administrative access. I am not using the portal but instead using FortiClientSecurity protection:[ul]With the built-in signatures that the evaluation license includes, you can use the following features:[ul]IPSAntiVirusIndustrial DB[/ul]The following features do not have built-in signatures:[ul]Security ratingAntispamWeb Filter[/ul][/ul]Features related to FortiGuard access are not available. Go to System > FortiGuard in FortiOS for details.VDOM:[ul]You can enable split-task VDOM in the CLI.You cannot enable multi-VDOM.[/ul][/ul]

    Note the following:

    [ul]Attempting to upgrade the FortiGate firmware locks the GUI until you upload a full license.The evaluation license does not include technical support. The trial period begins the first time that you start the FortiGate-VM.After the trial license expires, functionality is disabled until you upload a full license file.Features available in the evaluation state may change without prior notice."[/ul]

     

    I'm trying not to rule out the SSL-VPN as not useable until there's some definitive proof. :) 

    boneyard
    boneyard
    Valued Contributor
    September 20, 2020

    if you want a definitive answer then Fortinet support is the way to go. you were able to download this so you have access to support right?

     

    for reference that document: https://docs.fortinet.com...-vm-evaluation-license

     

    doesnt state there is a maximum ammount of firewall policies within the 15 day evaluation and there certainly is. 100% clear and complete documentation is rare.

    Terms & ConditionsAccessibility statement