Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
arkroit
New Contributor

SSL VPN Unreachable

I thought I followed all instructions to the letter, but my SSLVPN-portal is not available for the outside world.

If I add the internal port to the interface-list, I can reach the portal-pages from inside the network and I'm able to log on as I should, so everything there is working.

 

When I try to connect from the outside world, I get an 'unreachable'. Debugging the flow on the CLI, I notice that the packet is hitting rule 0 and is therefor blocked.

 

My config is as follows:

 

config firewall policy
  edit 14
    set srcintf "ssl.root"
    set dstintf "switch"
    set srcaddr "SSLVPN_TUNNEL_ADDR1"
    set dstaddr "Local LAN"
    set action accept
    set schedule "always"
    set service "ALL"
    set groups "SSL_VPN_USERS"
    set nat enable
  next
end

config firewall policy
  edit 15
    set srcintf "ssl.root"
    set dstintf "wan1"
    set srcaddr "SSLVPN_TUNNEL_ADDR1"
    set dstaddr "all"
    set action accept
    set schedule "always"
    set service "ALL"
    set groups "SSL_VPN_USERS"
    set nat enable
  next
end

 

Other rules include forwarding of HTTP, HTTPS, SSH to two servers.

I am using a FortiGate 110C with OS version 5.2.5 

 

Any suggestions?

 

Thanks in advance,

Dennis

2 REPLIES 2
anil_nayak_FTNT

Hello,

 

As i see the issue is SSL-VPN portal page shows error 'Server Unreachable' from WAN and works fine from LAN.

Device is on v5.2

Please check if you have added the WAN interface in the authentication policy, option in CLI 

 

config vpn ssl setting

shows full-config

<---------------check for authentication-rule, interface, should included WAN 

 

The firewall policy that you have posted above will be required for sslvpn subnet access

Regards

Anil

arkroit

Below the results from the 'show full-config'

 

    config vpn ssl settings
    set reqclientcert disable
    set sslv2 disable
    set sslv3 enable
    set tlsv1-0 enable
    set tlsv1-1 enable
    set tlsv1-2 enable
    set ssl-big-buffer disable
    set ssl-insert-empty-fragment enable
    set ssl-client-renegotiation disable
    set force-two-factor-auth disable
    set servercert "STAR_arkro-it_nl"
    set algorithm default
    set idle-timeout 300
    set auth-timeout 28800
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set dns-suffix ''
    set dns-server1 0.0.0.0
    set dns-server2 0.0.0.0
    set wins-server1 0.0.0.0
    set wins-server2 0.0.0.0
    set ipv6-dns-server1 ::
    set ipv6-dns-server2 ::
    set ipv6-wins-server1 ::
    set ipv6-wins-server2 ::
    set route-source-interface disable
    set url-obscuration disable
    set http-compression disable
    set http-only-cookie enable
    set port 10443
    set port-precedence enable
    set auto-tunnel-static-route enable
    set source-interface "wan1"
    set source-address "all"
    set source-address-negate disable
    set source-address6 "all"
    set source-address6-negate disable
    set default-portal "web-access"
        config authentication-rule
            edit 1
                set groups "SSL_VPN_USERS"
                set portal "full-access"
                set realm ''
                set client-cert disable
                set cipher any
                set auth any
            next
        end
    end

The odd thing that strikes me is that the traffic is blocked by the default rule. If I add the local lan to the ports to listen to (so I get the message that it listens to 192.168.1.99:10443 *and* <externalip>:10443), I can connect from the inside. So basicly everything seems to be working.