Troubleshooting Tip: Captive portal blocking VPN traffic

MichaelTorres · ‎05-21-2024

Description

This article describes the issue and the solution when there are Captive portals blocking the VPN Traffic.

Scope

All FortiOS versions.

Solution

Topology:

Untitled Diagram.drawio (1).png

The server in network 192.168.0.x is trying to establish communication against the server in network 10.0.0.x.

This traffic passes through both FortiGate (Internal and External). The traffic arrives at the FortiGate External. However FortiGate External blocks the traffic and it is possible to see the following behavior in the debugs.

FGT_External# id=20085 trace_id=228 func=print_pkt_detail line=5940 msg="vd-root:0 received a packet(proto=1, 192.168.0.2:1536->10.0.0.2:2048) tun_id=0.0.0.0 from PORT_LAN. type=8, code=0, id=1536, seq=0." --> packet arrives in FortiGate.

id=20085 trace_id=228 func=iprope_dnat_check line=5338 msg="in-[PORT_LAN], out-[]" --> Evaluates the route.

id=20085 trace_id=228 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-1.1.1.1 via VPN_PORT" --> Finds the route through the VPN.
id=20085 trace_id=228 func=__iprope_check_one_policy line=2031 msg="checkedgnum-100004 policy-20,ret-matched, act-accept" --> Partially matches the policy 20 and accept the traffic.
id=20085 trace_id=228 func=__iprope_check_one_policy line=2248 msg="policy-2 is matched, act-accept"
id=20085 trace_id=228 func=iprope_fwd_auth_check line=838 msg="afteriprope_captive_check(): is_captive-1, ret-matched, act-drop, idx-0" --> Request captive portal authentication.
id=20085 trace_id=228 func=iprope_fwd_auth_check line=867 msg="iprope_auth_portal_check() result: ret-matched, act-drop" --> FortiGate tried to authenticate the packet against a captive portal but gets dropped.
id=20085 trace_id=228 func=fw_forward_handler line=726 msg="Denied by forward policy check (policy 0)" --> Packet is denied by the firewall policy 0 (default).

The firewall policy 20 has all-all permissions and the same in the selectors. The static route was correctly installed.

Interface Port_LAN configuration.

edit "PORT_LAN"
set security-mode captive-portal
set security-groups "Group_test"

Solution.

In the FortiGate GUI exempt the source segment from the interface configuration.

In the CLI modify the following:

FGT_External# config system interface

edit "port_lan"

show
config system interface
edit "port2"
set vdom "root"
set type physical
set security-mode captive-portal
set security-exempt-list "port2-exempt-list"
set security-groups "Group/test"
set snmp-index 2
next
end

end

config user security-exempt-list
edit "port2-exempt-list"
config rule
edit 1
set srcaddr "192.168.0.0/24"
next
end
next
end

After the modification in the debugs:

FGT_External# id=20085 trace_id=238 func=print_pkt_detail line=5940 msg="vd-root:0 received a packet(proto=1, 192.168.0.2:2048->10.0.0.2:2048) tun_id=0.0.0.0 from PORT_LAN. type=8, code=0, id=2048, seq=0."--> packet arrives FGT

id=20085 trace_id=238 func=iprope_dnat_check line=5338 msg="in-[PORT_LAN], out-[]" --> Evaluates the route

id=20085 trace_id=238 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-1.1.1.1 via VPN_Port"

id=20085 trace_id=238 func=__iprope_check_one_policy line=2248 msg="policy-20 is matched, act-accept" --> Match the policy 20

id=20085 trace_id=238 func=iprope_fwd_auth_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-20" --> avoid captive portal authentication

id=20085 trace_id=238 func=fw_forward_handler line=888 msg="Allowed by Policy-20:" --> Policy correctly allow the traffic

id=20085 trace_id=238 func=ipsecdev_hard_start_xmit line=662 msg="enter IPSec interface VPN_Port, tun_id=0.0.0.0"

id=20085 trace_id=238 func=_do_ipsecdev_hard_start_xmit line=222 msg="output to IPSec tunnel VPN_Port" --> session offloaded to the VPN

id=20085 trace_id=238 func=esp_output4 line=874 msg="IPsec encrypt/auth"--> Traffic enters the tunnel IPSEC