Description
This article describes an issue with connection failures when using IPv6 Geography address objects in SSL VPN settings.
By default, SSL VPN is accessible to all public IP addresses from the Internet. Administrators can restrict the connections to only be accepted from certain countries, and Geography firewall address objects are leveraged to support this scenario,
This works properly for IPv4 Geography address objects when configured as per the document below:
However, when performing the same configuration for IPv6 geography addresses, the connection will not succeed, regardless of the authentication method.
Scope
FortiGate and IPv6 Geography address objects.
Solution
This is a known issue registered under ID 964725 that has been investigated by Development.
This affects all versions of FortiOS at the time of this writing (FortiOS versions 6.4.14, 7.0.13, 7.2.6, and 7.4.1).
In the example below, only IPv6 addresses assigned to Australia are allowed to establish a connection:
Although the TCP and TLS traffic are allowed from an Australian IPv6 address, FortiGate will deny the connection because it will fail to match any users.
The end user will be presented with the following error message from FortiClient.
The end user will be presented with the following error message from Web Browser.
Debug logs from FortiGate SSL VPN daemon will present 'no valid user or group candidate found'.
From SSL VPN Events in FortiGate, the following entry will be recorded.
The workaround is to restrict the connections via local-in policy6 as per below.
Since the restriction has been applied to the Local In Policy for IPv6, SSL VPN Settings may allow all IPv6 addresses.
Note:
Starting from FortiGate v7.6.0, the Local-in-Policy can now be also configured in the GUI. Refer to this article for more information:
Technical Tip: Creating a Local-In policy (IPv4 and IPv6) on GUI
