Hi,
I have SSL VPN running on two wan addressees and this is working from the internet. I have also wifi guest network, this guest network should have access using Forticlient in SSL mode to connect to one of these WAN addresses, how to do this?
Now when I start the connection from Forticlient it stuck on 10% with error "The VPN server may be unreachable"
7.2.8 firmware.
I have nothing in standard GUI logs so I think that is problem with routing or something which is first before firewall.
So I did a debug flow, with this result:
FGT # id=65308 trace_id=1147 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 172.16.0.29:54905->x.x.x.85:443) tun_id=0.0.0.0 from Guest-WiFi. flag [S], seq 1667350216, ack 0, win 64240"
id=65308 trace_id=1147 func=init_ip_session_common line=6009 msg="allocate a new session-0639308c, tun_id=0.0.0.0"
id=65308 trace_id=1147 func=get_new_addr line=1205 msg="find DNAT: IP-y.y.y.30, port-443"
id=65308 trace_id=1147 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=126, len=58"
id=65308 trace_id=1147 func=get_new_addr line=1205 msg="find SNAT: IP-y.y.y.30(from IPPOOL), port-54905"
id=65308 trace_id=1147 func=fw_pre_route_handler line=180 msg="VIP-y.y.y.30:443, outdev-unknown"
id=65308 trace_id=1147 func=__ip_session_run_tuple line=3419 msg="DNAT x.x.x.85:443->y.y.y.30:443"
id=65308 trace_id=1147 func=vf_ip_route_input_common line=2611 msg="find a route: flag=84000000 gw-y.y.y.30 via root"
id=65308 trace_id=1147 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=126, len=58"
id=65308 trace_id=1147 func=fw_local_in_handler line=606 msg="iprope_in_check() check failed on policy 0, drop"
172.16.0.0 - this is internal wifi guest
x.x.x.85:443 - this is an Natted provided by ISP additional ip address of wan interface (this IP is configured on Forticlients)
y.y.y.30:443 - this is ip address configured on the wan interface
and I have translation using VIP from secondary to first wan IP:
config firewall vip
edit "SSLVPN_to_natted"
set extip x.x.x.85
set mappedip "y.y.y.30"
set extintf "port24"
set portforward enable
set extport 443
set mappedport 443
next
Ipv4 policy for natted incoming sslvpn traffic with VIP as destination:
config firewall policy
edit 19
set name "SSLVPN_to_natted"
set srcintf "virtual-wan-link"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "SSLVPN_to_natted"
set schedule "always"
set service "ALL"
set logtraffic all
set comments "Incoming SSL Traffic to natted wan address"
next
Guest-Wifi network have allowed on ipv4 policy port 443 to wan (wirtual-wan-link) interface.
Have you tried to enable the SSL VPN for the interested SSID?
then I would have to change the forticlient configuration on each guest laptop.
You could use the same domain name that resolves in different IPs to avoid changing the configurations in FortiClient or set up two different VPN connections. It could be also a solution using hairpin NAT but I don't encourage using it, maybe this article or this other thread will help you.
Hi @Tutek,
Why do you want guest wifi users to connect to the VPN if they are already behind the FortiGate? Why are you translating x.x.x.85:443 to y.y.y.30:443 since they are both IPs of the wan interface?
Regards,
This is wifi network for guest it would be unreasonable to give access on such a network to servers and other important equipment, this network is used by visitors who have ssl vpn accounts set up, and they are supposed to be able to log into our fortigate via dialup ssl vpn.
Our ISP, on the other hand, in addition to the wan connection address, has assigned us a pool of 8 routable addresses on another network assigned to the wan connection, one of these IP addresses is used to translate the public domain that is configured in forticlient. In case of future public IP change, so as not to have to change dozens of forticlient configurations all our forticlients are configured using domain name instead IP. This domain name is translated by our public dns to just this one public address, that's it.
Do you have any idea how to resolve this?
You can use dynamic DNS. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-Dynamic-DNS-Fortigate/ta-...
Regards,
Created on 05-23-2024 02:58 AM Edited on 05-23-2024 03:01 AM
I don't have problem with DDNS why do you offer mi this solution?
I have a problem accessing on ssl vpn interface from internal network and with that I am looking for help.
I would try the hairpinning NAT Firewall-Rule
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.