Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rwdorman
New Contributor III

5.2 Upgrade and SSL VPN/FortiClient

The 5.2 upgrade materials talk specifically about the combining of VPN routing and user identification rules. I think this is a good thing... HOWEVER... in addition to reviewing the rule-sets make sure you look at the SSL VPN settings as well. I found that everything worked with my upgraded config until I made the first rule change to one of my SSL VPN rules then EVERYTHING broke. I had to go in and reset some things like what interface it listened on, default portal etc. One very nice part of this is that it seems to evaluate all VPN rules that have user groups in them and concatenate them into a single routing table download. Makes granular access rules much easier.

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
6 REPLIES 6
emnoc
Esteemed Contributor III

Yeah , the single SSLVPN page for configuration is a devil in disguised. I broke alot of things also mainly with the listen on tab and the default portal entry. I really do miss the older sslvpn method for pre5.2

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ilucas
New Contributor

Is this anything that could cause problems in a 5.0 -> 5.2 upgrade regarding the SSL VPN? Provided no changes are made prior? We have some telecommute employees that rely primarily on the SSL VPN to access internal systems.. can' t have them stuck!

----

FG 200B/30D/60D/80D/100D/200D/300D

FE 200D

---- FG 200B/30D/60D/80D/100D/200D/300D FE 200D
Baptiste
Contributor II

As far as I remember last week, I had to make some change on SSL VPN Settings On IPV4 Policy, there were sub-policy on SSLVPN Policy on 5.0.x, after upgrade thèses rules have been split on dedicated rules.

2 FGT 100D  + FTK200

3 FGT 60E  FAZ VM  some FAP 210B/221C/223C/321C/421E

2 FGT 100D + FTK200 3 FGT 60E FAZ VM some FAP 210B/221C/223C/321C/421E
emnoc
Esteemed Contributor III

That' s correct and it took me about 15-30mins of diagnostics. Make sure you review all portal configurations if your doing tunnel-mode.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
anthony956
New Contributor

Hello, I just have a question : Is it normal that a client of a VPN SSL (tunnel mode) have an IP address with mask /32 ? Because my VPN SSL is configured, the client PC got an IP address on the LAN but with netmask /32. So it can' t reach other devices on the LAN (the routing table is falsified). It' s the first time which I configured a SSL VPN on FortiOS 5.2. I have already configured VPN SSL on FortiOS 4.3 but I have never check the netmask of a client (it' s worked correctly). Thank you very much in advance. Regards, Anthony.
FCNSA-P France
FCNSA-P France
emnoc
Esteemed Contributor III

Q: What' s your cfg looking like and did you define a unique SSLVPN tunnel range? If you would have done the later ( I' m assuming you didn' t ) than your /32 interface would not be relevant towards the lan subnet

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors