Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiClient Connect using SSLv3 Only
Hello All,
Hope you are all fine. I have an issue with the FortiClient. I'm building a lab for a project that I will deploy. I tried to deploy a Remote Access VPN (SSL VPN) on a VM edition of the Fortigate, but it is not working with me.
When I try to connect, I get the error below:
Unable to establish the VPN connection. The VPN server may be unreachable. (-5)
My Fortigate is on OS
FortiGate-VM64 v6.2.3,build1066,191218 (GA)
And my FortiClient version is:
6.4.2.1580
After debugging, I get the logs below:
[169:root:2c]allocSSLConn:289 sconn 0x7fb37a483e00 (0:root)
[169:root:2c]SSL state:before SSL initialization (192.168.187.1)
[169:root:2c]SSL state:before SSL initialization:DH lib(192.168.187.1)
[169:root:2c]SSL_accept failed, 5:(null)
[169:root:2c]Destroy sconn 0x7fb37a483e00, connSize=0. (root)
[169:root:2d]allocSSLConn:289 sconn 0x7fb37a483e00 (0:root)
[169:root:2d]SSL state:before SSL initialization (192.168.187.1)
[169:root:2d]SSL state:before SSL initialization (192.168.187.1)
[169:root:2d]client cert requirement: no
[169:root:2d]SSL state:SSLv3/TLS read client hello (192.168.187.1)
[169:root:2d]SSL state:SSLv3/TLS write server hello (192.168.187.1)
[169:root:2d]SSL state:SSLv3/TLS write certificate (192.168.187.1)
[169:root:2d]SSL state:SSLv3/TLS write key exchange (192.168.187.1)
[169:root:2d]SSL state:SSLv3/TLS write server done (192.168.187.1)
[169:root:2d]SSL state:SSLv3/TLS write server done:system lib(192.168.187.1)
[169:root:2d]SSL state:SSLv3/TLS write server done:DH lib(192.168.187.1)
[169:root:2d]SSL_accept failed, 5:(null)
[169:root:2d]Destroy sconn 0x7fb37a483e00, connSize=0. (root)
[169:root:2e]allocSSLConn:289 sconn 0x7fb37a483e00 (0:root)
[169:root:2e]SSL state:before SSL initialization (192.168.187.1)
[169:root:2e]SSL state:before SSL initialization (192.168.187.1)
[169:root:2e]client cert requirement: no
[169:root:2e]SSL state:SSLv3/TLS read client hello (192.168.187.1)
[169:root:2e]SSL state:SSLv3/TLS write server hello (192.168.187.1)
[169:root:2e]SSL state:SSLv3/TLS write certificate (192.168.187.1)
[169:root:2e]SSL state:SSLv3/TLS write key exchange (192.168.187.1)
[169:root:2e]SSL state:SSLv3/TLS write server done (192.168.187.1)
[169:root:2e]SSL state:SSLv3/TLS write server done:system lib(192.168.187.1)
[169:root:2e]SSL state:SSLv3/TLS write server done:DH lib(192.168.187.1)
[169:root:2e]SSL_accept failed, 5:(null)
[169:root:2e]Destroy sconn 0x7fb37a483e00, connSize=0. (root)
[169:root:2f]allocSSLConn:289 sconn 0x7fb37a483e00 (0:root)
[169:root:2f]SSL state:before SSL initialization (192.168.187.1)
[169:root:2f]SSL state:before SSL initialization (192.168.187.1)
[169:root:2f]client cert requirement: no
[169:root:2f]SSL state:SSLv3/TLS read client hello (192.168.187.1)
[169:root:2f]SSL state:SSLv3/TLS write server hello (192.168.187.1)
[169:root:2f]SSL state:SSLv3/TLS write certificate (192.168.187.1)
[169:root:2f]SSL state:SSLv3/TLS write key exchange (192.168.187.1)
[169:root:2f]SSL state:SSLv3/TLS write server done (192.168.187.1)
[169:root:2f]SSL state:SSLv3/TLS write server done:system lib(192.168.187.1)
[169:root:2f]SSL state:SSLv3/TLS write server done:DH lib(192.168.187.1)
[169:root:2f]SSL_accept failed, 5:(null)
[169:root:2f]Destroy sconn 0x7fb37a483e00, connSize=0. (root)
My config for the SSL VPN is below as well:
FGT-HOME-LAB # show vpn ssl settings
config vpn ssl settings
set ssl-min-proto-ver tls1-0
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 4434
set source-interface "port2" "port3"
set source-address "all"
set source-address6 "all"
set default-portal "full-access"
config authentication-rule
edit 1
set groups "MyUsers"
set portal "full-access"
next
end
end
FGT-HOME-LAB # show firewall address SSLVPN_TUNNEL_ADDR1
config firewall address
edit "SSLVPN_TUNNEL_ADDR1"
set uuid 00ea0dce-57ea-51eb-bd4d-c24551dfe778
set type iprange
set associated-interface "ssl.root"
set start-ip 10.212.134.200
set end-ip 10.212.134.210
next
end
FGT-HOME-LAB # show vpn ssl web portal full-access
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set web-mode enable
set auto-connect enable
set keep-alive enable
set save-password enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling-routing-address "Internal_Network"
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
config bookmark-group
edit "gui-bookmarks"
next
end
next
end
FGT-HOME-LAB # show | grep -f MyUsers
config user group
edit "MyUsers" <---
set member "user1"
next
end
Also, TLS1.0, TLS1.1 and TLS1.2 are enabled in my Internet Options only.
Solved! Go to Solution.
Labels:
- Labels:
-
6.0
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The eval edition of Fortigate VM has severe restrictions regarding encryption methods. IMHO this will only work in a licensed FGT.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The eval edition of Fortigate VM has severe restrictions regarding encryption methods. IMHO this will only work in a licensed FGT.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this would work on a physical fortigate, unlicensed. Just can't be the VM.
