I thought I followed all instructions to the letter, but my SSLVPN-portal is not available for the outside world.
If I add the internal port to the interface-list, I can reach the portal-pages from inside the network and I'm able to log on as I should, so everything there is working.
When I try to connect from the outside world, I get an 'unreachable'. Debugging the flow on the CLI, I notice that the packet is hitting rule 0 and is therefor blocked.
My config is as follows:
config firewall policy edit 14 set srcintf "ssl.root" set dstintf "switch" set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "Local LAN" set action accept set schedule "always" set service "ALL" set groups "SSL_VPN_USERS" set nat enable next end
config firewall policy edit 15 set srcintf "ssl.root" set dstintf "wan1" set srcaddr "SSLVPN_TUNNEL_ADDR1" set dstaddr "all" set action accept set schedule "always" set service "ALL" set groups "SSL_VPN_USERS" set nat enable next end
Other rules include forwarding of HTTP, HTTPS, SSH to two servers.
config vpn ssl settings set reqclientcert disable set sslv2 disable set sslv3 enable set tlsv1-0 enable set tlsv1-1 enable set tlsv1-2 enable set ssl-big-buffer disable set ssl-insert-empty-fragment enable set ssl-client-renegotiation disable set force-two-factor-auth disable set servercert "STAR_arkro-it_nl" set algorithm default set idle-timeout 300 set auth-timeout 28800 set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set dns-suffix '' set dns-server1 0.0.0.0 set dns-server2 0.0.0.0 set wins-server1 0.0.0.0 set wins-server2 0.0.0.0 set ipv6-dns-server1 :: set ipv6-dns-server2 :: set ipv6-wins-server1 :: set ipv6-wins-server2 :: set route-source-interface disable set url-obscuration disable set http-compression disable set http-only-cookie enable set port 10443 set port-precedence enable set auto-tunnel-static-route enable set source-interface "wan1" set source-address "all" set source-address-negate disable set source-address6 "all" set source-address6-negate disable set default-portal "web-access" config authentication-rule edit 1 set groups "SSL_VPN_USERS" set portal "full-access" set realm '' set client-cert disable set cipher any set auth any next end end
The odd thing that strikes me is that the traffic is blocked by the default rule. If I add the local lan to the ports to listen to (so I get the message that it listens to 192.168.1.99:10443 *and* <externalip>:10443), I can connect from the inside. So basicly everything seems to be working.