Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Drkrieger
New Contributor

Created on ‎07-02-2014 11:36 AM

Issues seeing remote computers through SSL VPN

Hello! I am experimenting with an older Fortigate 60B (running FortiOS 4.0 MR3, Patch 15) that my boss gave me and I' m trying to learn how to setup an SSL VPN. I found a few videos on how to configure the unit to do web filtering for remote clients and adjusted to configuration to provide VPN access to the internal network. Basically, I' m trying to use the SSL VPN to gain file share access on my home network for remote computers. I have been able to configure the VPN so that I was able to log in using the Forticlient (version 5.2), but I' m not able to ping or file share (SMB/CIFS) even though it is enabled in the portal. Here' s how I have it configured: 1. Set up the user accounts (the internal network is a workgroup, no AD) 2. Created user group, set VPN Access to ' full-access' 3. Adjusted SSLVPN_TUNNEL_ADDR1 to a range other than default (FW Objects) 4. Created address range for my internal network (FW Objects) 5. Under VPN->SSL->Config, added SSLVPN_TUNNEL_ADDR1 to IP Pools 6. Under VPN->SSL->Portal, made sure all applications were checked (settings) 7. Added the adjusted IP range for the SSLVPN address range to Static Routes attached to device: ssl.root 8. Created Policy for WAN1->SSL.ROOT, Allowed all source addresses, destination addresses are SSLVPN range, action as SSL-VPN, added user group with all services allowed 9. Created Policy for SSL.ROOT->Internal, SSLVPN address range source, Internal home network range as destination, service any, Action allowed, NAT Enabled (also tried with this disabled, still no go) I have no issues connecting to the VPN, that goes smoothly. I am unable to ping or directly look at any machines file shares (using Windows explorer and typing \\<ip address> of machine). Is there a step I may have missed? Or a setting I need to adjust? I can provide screenshots of my policies if required. Thanks in advance!
21287
0 Kudos
13 REPLIES 13
Carl_Wallmark
Valued Contributor

Created on ‎07-02-2014 12:15 PM

Hi, and welcome to the forum, Try to sniff the traffic while pinging a computer in the CLI: diag sni pack ssl.root icmp 4 This will show if the traffic even gets to the firewall. Are you sure that FortiClient 5.2 is compatible with 4.3.15 ?

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
4446
0 Kudos
Drkrieger
New Contributor

Created on ‎07-02-2014 12:29 PM

When I sniffed it, this was what came up: I' m confused by the error about the no IPv4 Address assigned. I thought that was the static route I created for the ssl.root?
4446
0 Kudos
Carl_Wallmark
Valued Contributor

Created on ‎07-02-2014 12:31 PM

Yes but that looks ok, the ssl.root dont have an IP adress. But you should see alot of icmp if you are pinging.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
4446
0 Kudos
Drkrieger
New Contributor

Created on ‎07-02-2014 12:44 PM

I' m seeing nothing at all. I ran a ping -t to one of the machine on the internal network through the VPN and it keeps timing out. I did get an interesting response on one of the pings though, check it out: That IP doesn' t exist on either of my networks (the remote, or the internal).
4446
0 Kudos
Drkrieger
New Contributor

Created on ‎07-02-2014 02:34 PM

I gave up and created an IPSec VPN. Works like a charm. Thanks for the assist Selective ;)
4446
0 Kudos
oheigl
Contributor II

Created on ‎07-03-2014 05:59 AM

Hello Drkrieger, this step is not complete:
8. Created Policy for WAN1->SSL.ROOT, Allowed all source addresses, destination addresses are SSLVPN range, action as SSL-VPN, added user group with all services allowed
You need to add the internal network as destination address object too. The destination addresses you enter in the policy with action SSL-VPN are propagated to the routing table of the virtual ssl-vpn adapter of the client. Hope that helps, Oliver
4446
0 Kudos
rwpatterson
Valued Contributor III
In response to oheigl

Created on ‎07-03-2014 06:04 AM

ORIGINAL: oheigl Hello Drkrieger, this step is not complete:
8. Created Policy for WAN1->SSL.ROOT, Allowed all source addresses, destination addresses are SSLVPN range, action as SSL-VPN, added user group with all services allowed
You need to add the internal network as destination address object too. The destination addresses you enter in the policy with action SSL-VPN are propagated to the routing table of the virtual ssl-vpn adapter of the client. Hope that helps, Oliver
Actually, step 9 covers the internal entities. In step 8 though, the destination should not be the SSL VPN IP addresses, rather it should be the destination hosts that you' re trying to reach from the outside. One missing step is the static route back to the SSL VPN interface with a distance lower than that of the default gateway.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
4446
0 Kudos
Drkrieger
New Contributor
In response to rwpatterson

Created on ‎07-03-2014 08:11 AM

Actually, step 9 covers the internal entities. In step 8 though, the destination should not be the SSL VPN IP addresses, rather it should be the destination hosts that you' re trying to reach from the outside.
So if I change the ' Destination Address' under the Destination Interface/Zone to the address range of my internal network, in theory it should be able to see it? Like this: Also, I' m not sure how to do this:
One missing step is the static route back to the SSL VPN interface with a distance lower than that of the default gateway.
I' m guessing that I would add in an item into the Router->Static->Static Route menu, but what exactly would I put in? I' ve already got the IP Range for the SSL VPN users linked to the ssl.root, not sure if that was all that is needed. Edit: I' ll get a Route Print up shortly
4446
0 Kudos
rwpatterson
Valued Contributor III
In response to Drkrieger

Created on ‎07-03-2014 08:17 AM

ORIGINAL: Drkrieger I' m guessing that I would add in an item into the Router->Static->Static Route menu, but what exactly would I put in? I' ve already got the IP Range for the SSL VPN users linked to the ssl.root, not sure if that was all that is needed.
That' s all you should need in the routing area.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
4446
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.