Sigh. OK, I downgraded to MR6 patch 3. All settings are as I posted previously. Now I can get a stable SSL VPN tunnel, and I can even log in with my LDAP username. But other than that it ain' t working. None of the tests work. E.g. test for reachability gives me " 192.168.0.250 is not reachable because of permission denied" . And ping from the command line times out. Of course I can' t connect to any internal resources. And I can' t even connect to any site anywhere, because I can' t turn on split tunneling in the Fortigate!! Any attempt to do so results in " destination address of split tunneling policy is invalid" . I' ve tried leaving the destination address range blank, I' ve tried filling in our internal network, and I' ve tried filling in the SSL VPN IP range (192.168.32.1-192.168.32.255). What other range is possible??? Boy, if Fortinet made an IPSec VPN client that worked under Vista, I' d give up on this SSL business. An up-to-date IPCONFIG: Windows IP Configuration Host Name . . . . . . . . . . . . : JON Primary Dns Suffix . . . . . . . : BioProcessConsultants.local Node Type . . . . . . . . . . . . : Broadcast IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : BioProcessConsultants.local BPTC-Guest PPP adapter fortissl: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : fortissl Physical Address. . . . . . . . . : DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.32.1(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 0.0.0.0 DNS Servers . . . . . . . . . . . : 192.168.0.250 192.168.0.250 Primary WINS Server . . . . . . . : 192.168.0.250 Secondary WINS Server . . . . . . : 192.168.0.250 NetBIOS over Tcpip. . . . . . . . : Enabled Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : BPTC-Guest Description . . . . . . . . . . . : Realtek RTL8101E Family PCI-E Fast Ethernet NIC (NDIS 6.0) Physical Address. . . . . . . . . : 00-1B-38-4B-CB-D0 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::916:e53f:6e62:c5e8%7(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.16.66(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Saturday, October 25, 2008 9:43:49 AM Lease Expires . . . . . . . . . . : Sunday, October 26, 2008 9:43:48 AM Default Gateway . . . . . . . . . : 192.168.16.1 DHCP Server . . . . . . . . . . . : 192.168.16.1 DHCPv6 IAID . . . . . . . . . . . : 184556344 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-31-35-C8-00-1B-38-4B-CB-D0 DNS Servers . . . . . . . . . . . : 192.168.16.1 NetBIOS over Tcpip. . . . . . . . : Enabled

OK, in the main SSL VPN setup window, wipe out the SSL VPN tunnel range. In the advanced section of the user group, insert the range in there. That works for me. Also, what are your policies again? Your photobucket images won' t load. You should have:

wanx/all -> ssl.root/all policy

ssl.root/[ip|subnet|range] -> interface/network entity(s) policy

static route for 192.168.32.x/y -> ssl.root

for Internet browsing through the tunnel, add an ssl.root/192.168.32.x -> wanx/all (NAT enabled) policy In the second is where I break out the access rules. Create an address group that is the same as the user group tunnel range and use this as the source. Only the IPs matching that user group will be able to get through this policy. Good luck <aside>Glad you got the version thing straightened out</aside>

OK, in the main SSL VPN setup window, wipe out the SSL VPN tunnel range

Leaving it blank is not allowed. " Invalid IP Address" error.

Also, what are your policies again?

The images are loading for me. [ul]

Firewall policy internal all -> wan1 all, always, any, IPSEC, VPN tunnel VPN 1 phase 1

Firewall policy internal all -> wan1 all, always, any, accept

Firewall policy ssl.root all -> internal all, always, any, accept

Firewall policy wan1 all -> internal Forwards to BPTC Server, always, any, accept

Firewall policy wan1 all -> ssl.root all, always, any, SSL VPN

Static route 0.0.0.0/0.0.0.0 device wan1 gateway 192.168.16.16 (the external IP of the Fortigate) distance 10

Static route 192.168.0.0/255.255.255.0 (my real internal network) device ssl root gateway 0.0.0.0 (grayed out) distance 10 (same as my other static route) [/ul] I changed the last static route to 192.168.32.0/25.255.255.0 (the SSL IP range) and it made no difference. Is my other static route interfering? Didn' t somebody post up-thread that " it is clear that SSL VPN works" ??

OK, the main SSL VPN tunnel range, set to 0.0.0.0, 0.0.0.0 In a minute, I can set you up in my Fortigate, to browse the web....It works for me.

Well, I sort of believe you ... but it appears that nobody can describe how to set it up from scratch.

When you are on your interim (192.168.16.x) network, what' s your default gateway? Actiontec or Fortinet? (or both) From the Internet, can you reach your Fortigate through the Actiontec?

Changing the tunnel IP range to 0.0.0.0-0.0.0.0 in SSL VPN results in being unable to activate the tunnel. I can connect through the browser, but all of the texts still fail. On the interim network, gateway is the Actiontec at 192.168.0.1 (see ipconfig above). I usually don' t have remote management set up through the Actiontec, but I have done it in the past and I' ve set it up temporarily now. You' re welcome to take a look. Check your gmail.

Do you have an XP machine laying around? Give that a shot.

Got one at home. (also got a VM file on my Vista laptop, but it' s a little underpowered for running a VM)