Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
islam_nadim
New Contributor III

FortiClient Connect using SSLv3 Only

Hello All,

 

Hope you are all fine. I have an issue with the FortiClient. I'm building a lab for a project that I will deploy. I tried to deploy a Remote Access VPN (SSL VPN) on a VM edition of the Fortigate, but it is not working with me.

 

When I try to connect, I get the error below:

 

Unable to establish the VPN connection. The VPN server may be unreachable. (-5)

 

My Fortigate is on OS

FortiGate-VM64 v6.2.3,build1066,191218 (GA)

And my FortiClient version is:

6.4.2.1580

 

After debugging, I get the logs below:

 

[169:root:2c]allocSSLConn:289 sconn 0x7fb37a483e00 (0:root)
[169:root:2c]SSL state:before SSL initialization (192.168.187.1)
[169:root:2c]SSL state:before SSL initialization:DH lib(192.168.187.1)
[169:root:2c]SSL_accept failed, 5:(null)
[169:root:2c]Destroy sconn 0x7fb37a483e00, connSize=0. (root)
[169:root:2d]allocSSLConn:289 sconn 0x7fb37a483e00 (0:root)
[169:root:2d]SSL state:before SSL initialization (192.168.187.1)
[169:root:2d]SSL state:before SSL initialization (192.168.187.1)
[169:root:2d]client cert requirement: no
[169:root:2d]SSL state:SSLv3/TLS read client hello (192.168.187.1)
[169:root:2d]SSL state:SSLv3/TLS write server hello (192.168.187.1)
[169:root:2d]SSL state:SSLv3/TLS write certificate (192.168.187.1)
[169:root:2d]SSL state:SSLv3/TLS write key exchange (192.168.187.1)
[169:root:2d]SSL state:SSLv3/TLS write server done (192.168.187.1)
[169:root:2d]SSL state:SSLv3/TLS write server done:system lib(192.168.187.1)
[169:root:2d]SSL state:SSLv3/TLS write server done:DH lib(192.168.187.1)
[169:root:2d]SSL_accept failed, 5:(null)
[169:root:2d]Destroy sconn 0x7fb37a483e00, connSize=0. (root)
[169:root:2e]allocSSLConn:289 sconn 0x7fb37a483e00 (0:root)
[169:root:2e]SSL state:before SSL initialization (192.168.187.1)
[169:root:2e]SSL state:before SSL initialization (192.168.187.1)
[169:root:2e]client cert requirement: no
[169:root:2e]SSL state:SSLv3/TLS read client hello (192.168.187.1)
[169:root:2e]SSL state:SSLv3/TLS write server hello (192.168.187.1)
[169:root:2e]SSL state:SSLv3/TLS write certificate (192.168.187.1)
[169:root:2e]SSL state:SSLv3/TLS write key exchange (192.168.187.1)
[169:root:2e]SSL state:SSLv3/TLS write server done (192.168.187.1)
[169:root:2e]SSL state:SSLv3/TLS write server done:system lib(192.168.187.1)
[169:root:2e]SSL state:SSLv3/TLS write server done:DH lib(192.168.187.1)
[169:root:2e]SSL_accept failed, 5:(null)
[169:root:2e]Destroy sconn 0x7fb37a483e00, connSize=0. (root)
[169:root:2f]allocSSLConn:289 sconn 0x7fb37a483e00 (0:root)
[169:root:2f]SSL state:before SSL initialization (192.168.187.1)
[169:root:2f]SSL state:before SSL initialization (192.168.187.1)
[169:root:2f]client cert requirement: no
[169:root:2f]SSL state:SSLv3/TLS read client hello (192.168.187.1)
[169:root:2f]SSL state:SSLv3/TLS write server hello (192.168.187.1)
[169:root:2f]SSL state:SSLv3/TLS write certificate (192.168.187.1)
[169:root:2f]SSL state:SSLv3/TLS write key exchange (192.168.187.1)
[169:root:2f]SSL state:SSLv3/TLS write server done (192.168.187.1)
[169:root:2f]SSL state:SSLv3/TLS write server done:system lib(192.168.187.1)
[169:root:2f]SSL state:SSLv3/TLS write server done:DH lib(192.168.187.1)
[169:root:2f]SSL_accept failed, 5:(null)
[169:root:2f]Destroy sconn 0x7fb37a483e00, connSize=0. (root)

 

My config for the SSL VPN is below as well:

 

FGT-HOME-LAB # show vpn ssl settings
config vpn ssl settings
    set ssl-min-proto-ver tls1-0
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 4434
    set source-interface "port2" "port3"
    set source-address "all"
    set source-address6 "all"
    set default-portal "full-access"
    config authentication-rule
        edit 1
            set groups "MyUsers"
            set portal "full-access"
        next
    end
end

FGT-HOME-LAB # show firewall address SSLVPN_TUNNEL_ADDR1
config firewall address
    edit "SSLVPN_TUNNEL_ADDR1"
        set uuid 00ea0dce-57ea-51eb-bd4d-c24551dfe778
        set type iprange
        set associated-interface "ssl.root"
        set start-ip 10.212.134.200
        set end-ip 10.212.134.210
    next
end

FGT-HOME-LAB # show vpn ssl web portal full-access
config vpn ssl web portal
    edit "full-access"
        set tunnel-mode enable
        set ipv6-tunnel-mode enable
        set web-mode enable
        set auto-connect enable
        set keep-alive enable
        set save-password enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set split-tunneling-routing-address "Internal_Network"
        set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
        config bookmark-group
            edit "gui-bookmarks"
            next
        end
    next
end

FGT-HOME-LAB # show | grep -f MyUsers
config user group
    edit "MyUsers" <---
        set member "user1"
    next
end

 

Also, TLS1.0, TLS1.1 and TLS1.2 are enabled in my Internet Options only.

1 Solution
ede_pfau
Esteemed Contributor III

The eval edition of Fortigate VM has severe restrictions regarding encryption methods. IMHO this will only work in a licensed FGT.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
2 REPLIES 2
ede_pfau
Esteemed Contributor III

The eval edition of Fortigate VM has severe restrictions regarding encryption methods. IMHO this will only work in a licensed FGT.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
NetSecCity

this would work on a physical fortigate, unlicensed. Just can't be the VM.

Labels
Top Kudoed Authors