Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Netmask preventing SSL VPN tunnel from workin...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Netmask preventing SSL VPN tunnel from working?
Fortigate 50B 3.00-b0726(MR7). Since there are sometimes issues with my IPSec VPN, I thought I' d try out an SSL VPN. I set it up per the documentation: a user group that is authenticated by my LDAP server, an " SSL Internal network" address of 192.168.0.0/255.255.255.0, a tunnel IP range of 192.168.0.8-192.168.0.49 which is outside my DHCP server' s range, and a firewall policy from WAN1/any to internal/" SSL Internal network" always/any/SSL VPN and the LDAP user group allowed.
I can connect using IE7 as advertised and activate the tunnel and get an IP and DNS server and WINS server and whatnot EXCEPT ...
The fortissl adapter gets a subnet mask of 255.255.255.255. So even though I have a 192.168.0.8 IP I can' t connect to anything on the internal network.
If I try " Test for Reachability (ping)" in IE to 192.168.0.250, a popup advises me that it' s reachable. If I ping 192.168.0.250 at the command line, I get four timeouts.
What have I missed?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
36 REPLIES 36
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the 255.255.255.255 netmask is normal for this, so i think the problem is elsewhere. could be misconfigured of the local firewall is preventing the traffic.
Also be careful that the client machine isnt on a 192.168.0.x network, else you will get routing issues as well.... thats the most common private subnet range unfortunately.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you create the reverse static routes to 192.168.0.[8-49] back to ssl.root? This is needed after MR5.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, I didn' t create the reverse static route, and I haven' t the slightest idea how to do so. It' s not mentioned in FortiGate_SSL_VPN_User_Guide_01-30007-0348-20080718.pdf or Basic SSL Setup.pdf.
(FWIW the client is on a 192.168.16.x or 192.168.1.x network, depending on where I' m testing from).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traffic flows like this (works for me!)
Internet -> ssl.root (user IP in the FGT should now be 192.168.0.[8-49])
ssl.root -> internal/dmz/portx (wherever)
The Fortigate needs to know that the tunnel IP addresses are not going out the default path, so
Static route 192.168.0.[8-49] -> ssl.root
The FGT knows which end user to get to after that. ssl.root is simply another interface.
Hope that helps
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, I get the general idea, but in the Router/Static/Create New dialog I can' t get it to accept 192.168.0.[8-49] or 192.168.0.[8-49]/255.255.255.0 or any variation of that I can think of.
I know that somewhere in the documentation there' s an explanation of how to specify IP addresses or ranges, but I can' t locate it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, so here' s what I have to date:
[ul]
If one carefully follows, step-by-step, the instructions in Fortinet' s " Basic SSL Setup.pdf" , taking great care to follow the instructions exactly, the result is a non-operational SSL VPN (at least in tunnel mode).
If one carefully follows, step-by-step, the different instructions in Fortient' s " FortiGate_SSL_VPN_User_Guide_01-30007-0348-20080718.pdf" , taking great care to follow the instructions exactly, the result is a non-operational SSL VPN (at least in tunnel mode).
It is not possible to create a static route that routes anything but 0.0.0.0/0.0.0.0 to ssl.root.
Nobody knows what is required or what steps to follow to get an SSL VPN working.
[/ul]
Does anyone actually have a working Fortigate SSL VPN?
Has anyone actually ever figured out how to get anything working in a Fortigate router from just the printed documentation?
Boy, was this the wrong router to buy. I only have two degrees from MIT, obviously I should have gone for another if I wanted to administer a Fortigate router.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In router static, you can' t use ranges, only networks. (x.x.x.x/y) You would have to break a 16 node network into /255.255.255.240 for example.
So to get the bottom 16 IPs routed, it would be 192.168.0.0/255.255.255.240.
Without that routing statement, the SSL ain' t gonna happen. Optionally (which is a pain) is to put in the addresses individually, like what is done during an upgrade....
How far along in the process do you get?
Note added later: I just realized I wrote that range in my prior post....my bad!!!
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' m seeing this post for the first time.
First of all, it is clear that SSL VPN works.
The network design you have is faulty. Basic rule: if your network range is 192.168.0.0/24 then any of your remote connections/networks are NOT. A SSL connection is a remote connection. So you define your SSL range like 172.19.1.0/24 then you can setup a routing to the ssl.root interface.
Try it, and you' ll see.
Cheers, Eric
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Without that routing statement, the SSL ain' t gonna happenInteresting. I know that you don' t write Fortigate documentation, but are you aware that there is no mention of creating a route of any kind in any of the Fortigate documentation on setting up an SSL network?
How far along in the process do you get?It' s hard to characterize.
Basic rule: if your network range is 192.168.0.0/24 then any of your remote connections/networks are NOT. A SSL connection is a remote connection. So you define your SSL range like 172.19.1.0/24 then you can setup a routing to the ssl.root interface.OK, I see I made a mistake. If you read the documentation carefully it does say that. However, I have the Fortigate managing an IPSec VPN which assigns IP addresses in my internal network range, and it seems to me that IPSec is a remote connection. So, starting again using 192.168.32.1-192.168.32.255 as my tunnel IP range and 192.168.0.0/24 is my internal network range. Let' s dive into Basic SSL Setup.pdf. " Under Advanced, define any internal DNS or WINS servers present in your network, ..." . OK, 192.168.0.250 is my DNS and WINS server, so enter that twice. Set up a user and user group ... check. I have LDAP working for IPSec but for now I' m just trying to get this going with a locally defined user. Define a firewall policy. Set the Source Interface to the interface that connects your FortiGate unit to the Internet .. OK, Wan1. Set the Source Address to all. Set the Destination Interface to the interface connected to your internal network ... OK, internal. Set the Destination Address to all. Set the action to SSL-VPN. Select the user group that you just added in the list on the left and select the right arrow to add that user group to this policy. Select OK. " Error: Destination address of split tunneling policy is invalid" . OK, turn off split tunneling for that user group, although I' ll certainly need it to put this into production, I' m not going to feed all traffic from a user in Israel or India or the Ukraine through me. Off to another tab to test ... OK, I can log in, and I can initiate tunnel mode and get connected. According to the manual " Access at this point requires either that users know the IP addresses of internal servers, or that your DNS server is configured to resolve internal machine names, also called netbios names, of those servers." Well, my DNS server at 192.168.0.250 is configured to resolve NetBIOS names, but let' s go to http://192.168.0.250 in a new tab. Internet Explorer cannot display the webpage. Ipconfig /all yields: PPP adapter fortissl: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : fortissl Physical Address. . . . . . . . . : DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.32.1(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 0.0.0.0 DNS Servers . . . . . . . . . . . : 192.168.0.250 Primary WINS Server . . . . . . . : 192.168.0.250 Secondary WINS Server . . . . . . : 192.168.0.250 NetBIOS over Tcpip. . . . . . . . : Enabled Back to the " Welcome to SSL-VPN Service" tab. Test for reachability 192.168.0.250 returns reachable. Connect to Web Server 192.168.0.250 opens a new window with Remote Web Workplace displayed and https://192.168.16.16:10443/proxy/http/192.168.0.250/ in the address bar. Click on My Company' s Internal Web Site: Internet Explorer cannot display the webpage. https://192.168.16.16:10443/proxy/http/companyweb in the address bar. Gosharootie, seems to me that this is pretty useless and not operating as advertised. This message is a tad long, so I' ll continue on the next rock ...
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,714 -
FortiClient
1,766 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
559 -
FortiSwitch
475 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
83 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiGate-VM
15 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1713 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.