Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Netmask preventing SSL VPN tunnel from workin...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Netmask preventing SSL VPN tunnel from working?
Fortigate 50B 3.00-b0726(MR7). Since there are sometimes issues with my IPSec VPN, I thought I' d try out an SSL VPN. I set it up per the documentation: a user group that is authenticated by my LDAP server, an " SSL Internal network" address of 192.168.0.0/255.255.255.0, a tunnel IP range of 192.168.0.8-192.168.0.49 which is outside my DHCP server' s range, and a firewall policy from WAN1/any to internal/" SSL Internal network" always/any/SSL VPN and the LDAP user group allowed.
I can connect using IE7 as advertised and activate the tunnel and get an IP and DNS server and WINS server and whatnot EXCEPT ...
The fortissl adapter gets a subnet mask of 255.255.255.255. So even though I have a 192.168.0.8 IP I can' t connect to anything on the internal network.
If I try " Test for Reachability (ping)" in IE to 192.168.0.250, a popup advises me that it' s reachable. If I ping 192.168.0.250 at the command line, I get four timeouts.
What have I missed?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
36 REPLIES 36
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you testing this from inside your network? Ain' t gonna work...
https://192.168.16.16:10443/proxy/http/192.168.0.250/would appear to be a private IP address. Just asking...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you testing this from inside your network?Nope. I hoped that was clear in the earlier messages. I have Verizon FIOS. Their router runs 192.168.16.0/24 on the LAN side and runs a wireless network for our guests to have Internet access. The Fortigate sits with Wan1 on that network as 192.168.16.16 and 192.168.0.0/24 on the internal interface. So my 192.168.16.x address is outside the internal network, and https://192.168.16.16:10443 refers to Wan1 on the Fortigate. This gives our guests Internet access, keeps them off our private network, and doesn' t raise the issue of Verizon blaming any problems on the Fortigate router. FYI the Fortigate DHCP is off, and our SBS server at 192.168.0.250 does DHCP, DNS, WINS, and LDAP. I have IPSec VPN forwarded through the Verizon router and handled by the Fortigate. I have PPTP VPN forwarded through the Verizon router and through the Fortigate and handled by our server. But the Fortinet VPN client fails in Vista, I don' t like PPTP much, and my users often run into situations where a company firewall blocks their IPSEC and PPTP access and I' m hoping that an SSL VPN may work for them occasionally in those situations.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All righty then, I' ll try the version presented in FortiGate_SSL_VPN_User_Guide_01-30007-0348-20080718.pdf. Setting up the VPN and the users and user groups is the same but with more explanations. On to the firewall policy ...
On page 44 I see " In tunnel mode, it is necessary to create a DENY firewall policy that immediately follows the SSL VPN policy. If this policy is not created, SSL VPN tunnels will use other ACCEPT firewall policies. See the order of the Firewall policies below" . And in the picture below, they show three " internal -> external" policies. (It' s interesting that there' s no more mention of this required policy in the step-by-step instructions).
" Note: If your destination address, SSL encryption, and user group are the same
as for your web-only mode connection, you do not need to create a firewall policy
for tunnel mode. The FortiGate unit uses the web-only mode policy settings
except for the source address range, which it obtains from the tunnel IP range
settings." OK, so all I need to do is configure Web-only.
First I specify destination IP addresses: Go to Firewall > Address and select Create New. In the Address Name field, type a name that represents the local network, server(s), or host(s) to which IP packets may be delivered (for example, Subnet_1) ... OK, " SSL_Destinations" . From the Type list, select Subnet/IP Range. In the Subnet/IP Range field, type the corresponding IP address and subnet mask (for example, 172.16.10.0/24). OK, 192.168.0.0/255.255.255.0. Select OK. Huh? What interface do I select? I look down in the instructions for specifying destination IP addresses for tunnel mode, and I find " In the Interface field, select the interface to the external (public) network." Alright, select Wan1 and click OK.
Now for the firewall policy. Create New. Source Interface/Zone: Select the FortiGate interface that accepts connections from remote users. OK, Wan1. Address Name select all. Destination Interface/Zone: Select the FortiGate interface to the local private network (for example, dmz). OK, Internal. Address Name: Select the IP destination address that you defined previously (for example, Subnet_1). Whoops, I can' t select that, it' s assigned to Wan1. Guess i should have selected Internal when defining the address group. Back to that page and change Wan1 to Internal. Now I can select it in the destination address name. No mention of schedule in the step-by-step instructions, guess I' ll select always. Service Any, Action SSL-VPN. SSL Client Certificate Restrictive un-checked, Cipher strength Any, User Authentication method Any, add my test group under Allowed, don' t touch anything else and click OK.
Off to the SSL VPN tab, log in, activate tunnel mode. Ipconfig /all returns the same as before. All my tests yield the same result as before.
Sigh. Rwpatterson says I need a static route, so off to that page. Static Route, Create new, Destination IP/Mask 192.168.32.0/255.255.255.0. Device ssl.root. Gateway goes inactive, contains 0.0.0.0. Distance I dunno, I' ll leave it at 10. Click OK.
Back to the SSL VPN tab, log off, log in, active tunnel mode. Yippee! It' s exactly the same as before. Same ipconfig /all as before, can' t display http://192.168.0.250 except through the test on the SSL VPN page, can' t connect to htp://companyweb, can' t ping the server IP except through the SSL VPN page, can' t see my mapped network drives, can' t do much of anything useful. and as an extra bonus ... I can' t connect to anything on the Internet because split tunneling is off and I' m supposed to route all Internet traffic through the non-funcitonal VPN!!
First of all, it is clear that SSL VPN works.That remains to be demonstrated. It' s not clear to me. I believe I' ve demonstrated that SSL VPN does not work if set up according to the Fortigate documentation.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have the Actiontec (or DLink) router AND the Fortigate working together?
OK, for my SSL VPN to work, I did the following:
Enabled SSL VPN from the ' VPN > SSL' main page
Created a user (User > Local)
Created a use group (User > Group, type SSL VPN)
In the advanced, I specified the tunnel IP range
Added the user to the group
Created policies to use the SSL VPN:
External port to ssl.root (source must be ' all' , not a host or subnet)
ssl.root to internal servers/networks
Created a static route back to the SSL VPN client:
192.168.x.x, gateway ssl.root
Went out, logged in, and life was good.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, that' s certainly nothing like what the Fortinet documentation says.
I attempted to implement that. ssl.root is not a valid entry in the gateway of a route, but it is a valid device. Now there' s no response at all from the Fortigate on the SSL VPN gateway at https://192.168.16.16:10443/.
See
http://i2.photobucket.com/albums/y10/JonF/User.png
http://i2.photobucket.com/albums/y10/JonF/User_Group.png
http://i2.photobucket.com/albums/y10/JonF/SSL_VPN.png
http://i2.photobucket.com/albums/y10/JonF/SSL_Destinations.png
http://i2.photobucket.com/albums/y10/JonF/Policy_1.png
http://i2.photobucket.com/albums/y10/JonF/Policy_2.png
http://i2.photobucket.com/albums/y10/JonF/Policy_3.png
http://i2.photobucket.com/albums/y10/JonF/Route.png
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: Jon Fleming I attempted to implement that. ssl.root is not a valid entry in the gateway of a route, but it is a valid device.You are correct. Was from the top of my head. Policy number 4 (here) should have the SSL-VPN action, not accept. Also, I left the tunnel IP range blank on the main page, and defined them in the advanced section of the user group. This allows me to filter access by user group.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh and yes, I do have the Actiontec and the Fortigate working together ... in series, if you will.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, after changing policy 4 it is closer but not working.
I get the login screen and successfully log in. None of the connections on the screen work, using my server' s 192.168.0.250 IP address. If I active SSL-VPN Tunnel it shows as connected, but after about 8 seconds it shows disconnected and then returns to the login screen. During that 8 seconds of connection ipconfig does not show the fortissl (or whatever it should be) adapter.
I' ve tried modifying the Idle Timeout on the VPN | SSL | Config screen with no effect.
I added an internal -> ssl.root firewall rule, with action Accept and with action SSL-VPN, and it had no effect.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This isn' t gonna make you happy. There is a known bug with MR7 and the SSL VPN that does what you describe. You have to back down to MR6Px for a stable SSL VPN connection. Sorry to be the bearer of (more) bad news....
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, carp.
And I let the support run out. Now I have to pay ...
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,718 -
FortiClient
1,767 -
5.2
801 -
FortiManager
731 -
5.4
639 -
FortiAnalyzer
559 -
FortiSwitch
476 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
319 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
83 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiGate-VM
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1714 | |
| 1093 | |
| 752 | |
| 447 | |
| 232 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.