Created on 05-21-2024 10:56 PM Edited on 05-21-2024 10:57 PM By Jean-Philippe_P
Description |
This article describes the issue and the solution when there are Captive portals blocking the VPN Traffic. |
Scope | All FortiOS versions. |
Solution |
Topology:
The server in network 192.168.0.x is trying to establish communication against the server in network 10.0.0.x. This traffic passes through both FortiGate (Internal and External). The traffic arrives at the FortiGate External. However FortiGate External blocks the traffic and it is possible to see the following behavior in the debugs.
FGT_External# id=20085 trace_id=228 func=print_pkt_detail line=5940 msg="vd-root:0 received a packet(proto=1, 192.168.0.2:1536->10.0.0.2:2048) tun_id=0.0.0.0 from PORT_LAN. type=8, code=0, id=1536, seq=0." --> packet arrives in FortiGate. id=20085 trace_id=228 func=iprope_dnat_check line=5338 msg="in-[PORT_LAN], out-[]" --> Evaluates the route.
The firewall policy 20 has all-all permissions and the same in the selectors. The static route was correctly installed.
Interface Port_LAN configuration.
edit "PORT_LAN"
Solution. In the FortiGate GUI exempt the source segment from the interface configuration.
In the CLI modify the following:
FGT_External# config system interface edit "port_lan" show end
config user security-exempt-list
After the modification in the debugs:
FGT_External# id=20085 trace_id=238 func=print_pkt_detail line=5940 msg="vd-root:0 received a packet(proto=1, 192.168.0.2:2048->10.0.0.2:2048) tun_id=0.0.0.0 from PORT_LAN. type=8, code=0, id=2048, seq=0."--> packet arrives FGT id=20085 trace_id=238 func=iprope_dnat_check line=5338 msg="in-[PORT_LAN], out-[]" --> Evaluates the route id=20085 trace_id=238 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-1.1.1.1 via VPN_Port" id=20085 trace_id=238 func=__iprope_check_one_policy line=2248 msg="policy-20 is matched, act-accept" --> Match the policy 20 id=20085 trace_id=238 func=iprope_fwd_auth_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-20" --> avoid captive portal authentication id=20085 trace_id=238 func=fw_forward_handler line=888 msg="Allowed by Policy-20:" --> Policy correctly allow the traffic id=20085 trace_id=238 func=ipsecdev_hard_start_xmit line=662 msg="enter IPSec interface VPN_Port, tun_id=0.0.0.0" id=20085 trace_id=238 func=_do_ipsecdev_hard_start_xmit line=222 msg="output to IPSec tunnel VPN_Port" --> session offloaded to the VPN id=20085 trace_id=238 func=esp_output4 line=874 msg="IPsec encrypt/auth"--> Traffic enters the tunnel IPSEC |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.