Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
marcelo_malara
New Contributor

Change VPN SSL interface

Hi guys.

 

I have two Fortinets 80C in cluster. I configured the VPN SSL access some time ago on WAN1, it worked fine. Now I need to move the VPN SSL to WAN2, changed in VPN->SSL->Settings ->Listen on interface from WAN1 to WAN2, port 10443, but neither the client not the web page works. The client stops at 10%. It seems the port 10443 is not listening. Restarted the VPN SSL Daemon to no effect, rebooted both nodes to no effect.

 

Is something more I have to change?

 

Regards

 

 

 

 

 

12 REPLIES 12
rkulow
New Contributor

via cli go to:

 

config vpn ssl settings

config authentication-rule

edit 1

unset source interface (or set source interface to new interface)

next

end

marcelo_malara

Thanks, still no working. True that both auth rule had the old interface, this is a get after I changed to the new:

 

FGT80C3911606514 (authentication-rule) # get 1
 
id                  : 1
source-interface:
    == [ wan2 ]
    name: wan2
source-address:
    == [ all ]
    name: all
source-address-negate: disable 
source-address6:
source-address6-negate: disable 
users:
groups:
    == [ Grupo de usuarios para VPN SSL ]
    name: Grupo de usuarios para VPN SSL
portal              : RDP por VPN 
realm               : 
client-cert         : disable 
cipher              : any 
auth                : any 
rkulow

did you tried to unset source-interface?

ede_pfau
Esteemed Contributor III

The interface listened on is set outside the auth rules section:

config vpn ssl settings
    set port 443
    set source-interface "wan1"

    ...
This is in FOS v5.2.9


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Nils
Contributor II

Did you change the policys that the SSLVPN interface uses as well?

 

marcelo_malara

Hi guys.

 

"The interface listened on is set outside the auth rules section"

source-interface:
 
--More--              == [ wan2 ]
--More--              name: wan2
marcelo_malara

"Did you change the policys that the SSLVPN interface uses as well?"

 

Sorry, what do you mean? The only policies are from the ssl.root interface.

 

Nils

Oh sorry, yeah in the new versions you dont use the external interface in the policy.

Do you have any VIP that uses port 443 on WAN2?

 

marcelo_malara

Actually I am using port 10443 for the VPN.

Top Kudoed Authors