Ahoy,
We are trialling out a multi-vdom approach to SSL VPN portals to allow us to have different host checking depending on the type of access required. I have setup a 100D with:
root vdom: all physical interfaces and normal operations (IPSec VPN, LAN access etc.) Tunnel vdom: ssl vpn setup for tunnel mode only with strict host checker Web vdom: ssl vpn for web access only low level host check (if any)
there are vdom links connecting root to tunnel and root to web.
web is working ok except with an issue with SSO for intranet URLs, and also on the version we're running (5.2.3) I can't limit the type of bookmarks people can create (i.e. only want them to have HTTP, HTTPS and RDP [not RDP Native]) as the config option is missing....
Tunnel is proving tricky. i have it mostly cracked now except for one slight snag - no traffic is flowing over it. Attached is a lovely MS Paint diagram of the config and setup with some rules (out of paranoia I have blanked out some stuff and changed our WAN IP).
i get this when i flow trace a connected ssl vpn tunnel client (10.220.16.10):
id=20085 trace_id=387 func=print_pkt_detail line=4378 msg="vd-Tunnel received a packet(proto=17, 172.16.11.11:53->10.220.16.10:49315) from RT1. " id=20085 trace_id=385 func=init_ip_session_common line=4527 msg="allocate a new session-00002cf3" id=20085 trace_id=387 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-00002cf2, reply direction" id=20085 trace_id=387 func=udp_rcv line=980 msg="No socket found. Drop."
172.16.11.11 is a DNS server.
Any thoughts?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Edit: i've turned NAT off on all the rules except the lan/rt0/rw0 to wan rule at the top and added routes to our layer3 switch on the LAN.
get this when i flow trace:
id=20085 trace_id=387 func=print_pkt_detail line=4378 msg="vd-Tunnel received a packet(proto=17, 172.16.102.41:53->10.220.16.10:49315) from RT1. "
id=20085 trace_id=385 func=init_ip_session_common line=4527 msg="allocate a new session-00002cf3"
id=20085 trace_id=387 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-00002cf2, reply direction"
id=20085 trace_id=387 func=udp_rcv line=980 msg="No socket found. Drop."
172.16.102.41 is a device on our LAN and 10.220.16.10 is a client machine connected to the ssl vpn tunnel using the forticlient software (that IP is assigned by the tunnel).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1721 | |
1098 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.