Hello guys, I just want to let you up to date.

 

I spend the all day on my topic yesterday and now I'm able to connect to my French site by SSL VPN. Unfortunately, I'm still not able to do it by IPsec VPN and I didn't managed to connect to my Chinese site at all.

 

I made several changes and tries. Below are the working settings of the SSL VPN.

 

LDAP server:

[ol]

Server IP: 200.200.200.10

Server port: 389

Common name identifier: samaccountname

Distinguished name: ou=xxx,dc=xxx

Bind type: Regular

User name: CN=xxx,CN=Users,DC=xxx,DC=local

Password: xxxx[/ol]

Test the connectivity and it works well.

 

Users:

[ol]

User definition: Remote LDAP users imported from the LDAP server.

User group: type firewall with the necessary members[/ol]

I defined it so because I read somewhere that FortiGate as difficulty with LDAP group which include sub group only and not directly the member.

 

Addresses:

[ol]

I defined a new IP range of addresses for the SSL VPN with the SSL interface on it.

I also defined a subnet for the SSL VPN with the SSL interface and static route configuration.[/ol]

 

Port:

[ol]

First put the admin https port to 10443 in system setting.[/ol]

 

SSL Portal

[ol]

I deleted all portal and created new ones:

For tunnel_access[ol]

Limit User to one SSL-VPN connection at a time: enable

Tunnel mode: enable

Enable split tunneling: disable

Source IP pools: The range crated before.

Allow client to save password: enable

Allow client to connect automatically: enable

Allow client to keep connection alive: enable

Enable web mode: disable

Enable FortiClient download: enable

Customize download location: disable[/ol][/ol]

 

SSL settings:

[ol]

Listen on interface:  Wan

Port: 443 (my web mode is listening at https://192.168.1.1 which is not my public IP)

Redirect HTTP to SSL-VPN: disable

Restrict access: Allow access from any host

Idle Logout: enable / inactive for 3600 Seconds (default was 300 but my connection was droping down and after this change everything works well)

Server certificate: Fortinet_Factory

Require Client Certificate:  disable

Address Range: Specify custom IP range: The range crated before.

DNS Server: specify: 200.200.200.10 and 100.100.100.10 (those are my 2 internal DNS server on each site. The sites are connected with a gateway to gateway tunnel. I specify DNS because the FortiGate DNS server is set to fortiguard server, as I use DDNS for the gateway to gateway VPN)

Specify WINS servers: disable

Allow endpoint Registration: disable

Authentication/ Portal mapping: SSL users – tunnel_access and all other user - web_access[/ol]

 

IPV4 Policy:

[ol]

SSL Client to internet[ol]

Incoming interface: SSL VPN tunnel

Outgoing interface: Wan

Source: address all / group: SSL users

Destination: all

Schedule: always

Services: All

Action: accept

Nat: enable

IP pool configuration: Use outgoing interface address

Security profiles: all disable (I plan to set up my security profile after everything is working well. It will be easier to troubleshot as the security profile can block some access)

Enable this policy: enable[/ol]

SSL Client to Lan[ol]

Incoming interface: SSL VPN tunnel

Outgoing interface: lan

Source: address all / group: SSL users

Destination: FR_local

Schedule: always

Services: All

Action: accept

Nat: enable

IP pool configuration: Use outgoing interface address

Security profiles: all disable (I plan to set up my security profile after everything is working well. It will be easier to troubleshot as the security profile can block some access)

Enable this policy: enable[/ol][/ol]

 

Static routes:

[ol]

Destination: named address: the subnet created before (with static route)

Gateway: 0.0.0.0

Interface: SSL VPN tunnel

Administrative distance: 10 (default value)

Status: enable

Priority: 1 (my gateway to gateway static route have priority 0)[/ol]

 

Result with FortiClient 6.0.8.0261, I can connect to my French site. I’m actually in China so the result is pretty slow, but it works.

 

Next step is to duplicate those setting to the Chinese site, the difference would be the DDNS setting in FortiClient. After couple of minutes to set everything the result is still not able to connect. So, I checked if other settings were different between both FortiGate. And I found few of it.

 

I figured out in the address object that the French FortiGate has 2 additional address compare to the Chinese one.

Name: Auth.gfx.ms – type: FQDN – details: auth.gfx.ms – ref: 1 to deep-inspection

Name: softwareupdate.vmware.com- type: FQDN – Details: softwareupdate.vmware.com - ref: 1 to deep-inspection

 

These 2 addresses are also listed in the Wildcard FQDN and refer to deep-inspection SSL. It took me a while to remember that when I was setting up my site to site VPN I called the support and we made those changes with the CLI console.

 

 Unfortunately, I’m not able to do it again to the other FortiGate. I’ll try to figure it out.

 

But so far, I can say that I’m not able to connect to my Chinese site by SSL due to one of this 3 things:

 

The Chinese site is behind the China telecom box and the box doesn’t allow the access.

The Chinese site as dynamic IP and FortiClient doesn’t resolve the FQDN IP

The deep inspection isn’t working on the Chinese site.

 

Concerning the IPsec VPN none of them are working. I read somewhere that’s due to the great Chinese firewall and that only SSL will work. That’s the reason I focus on the SSL access. But I assume that’s not really true, due to the fact that I have one site to site IPsec VPN working well.

 

See you later for further update.

Some more update Today,

So today I play around with the FQDN difference between my Chinese FTG and my French one.

So, as the 2 FQDN was linked to the deep inspection profile which I cannot change in the 5.6 firmware, I decided to downgrade to 5.4.13 both FortiGate.

After play around a bit, I figured out that if the address auth.gfx.ms is in a wildcard address then I cannot bring up my site to site VPN. But if the address is in a normal FQDN then it’s working. So, I set on both FortiGate the auth.gfx.ms and the softwareupdate.vmware.com addresses as FQDN and then link again to the deep inspection profile.

With those change my site to site VPN is working and I can connect to the French site with SSL VPN. But still nothing possible on the Chinese site.

Then, as I was playing with firmware, I decided to update both FortiGate to the last release 6.2.3. and play around a bit more but still nothing possible. Several changes in the GUI on 6.2.3 and the address auth.gfx.ms simply disappear of the address list.

I have no idea what is that but I won’t care much any longer. Now I’ll focus on checking the ISP box (which are router) settings. In France I have no problem to change thing as I get the access but in China no access to the box management. I’ll contact the ISP tomorrow.

Monday Update,

This morning I checked my ISP box configuration and guess what?  I found something! The guy who installed the FortiGate in France set up the FortiGate on a DMZ (DMZ compare to the ISP box) and set up some port forwarding on the ISP box. I wasn’t aware of it. So, that was the reason I was able to connect in France by SSL.

So today I called China telecom and asked them to allow me to do some port forwarding in their box. They refuse to give me the access to set it up. But they did accept to set up the box in bridge mode. They did it remotely in 5 min and send me the PPPoE account and password. Before their box was connecting in DHCP but it seems that they only allow the bridge mode with PPPoE account. However weird is that, after set up the PPPoE account on the WAN interface, I could access my Chinese site with SSL VPN.

In order to simplify my life during maintenance I try to set up the French ISP box in bridge mode as well and have a symmetric configuration. But unfortunately, the ISP box (BBox of Bouygues Telecom) doesn’t support bridge mode.

To resume, now I have my site-to-site VPN working and I can access both site with SSL VPN. Which is what I needed. So, my problem is solved in somehow even I’m still unable to bring up the IPsec VPN on both sites and the ISP box on each site have different settings.

By curiosity I’ll try to find out why I’m not able to access my sites by IPsec VPN. I read many post on the web, that is due to the Chinese great firewall. But I don’t believe it mush as my site-to-site VPN is IPsec and working.

Hello forum,

 

Some update concerning last week.

As I told you I’m now able to connect my client with with Forticlient by SSL VPN. Unfortunately, the SSL VPN was going down every 5 min. After I read this post, https://forum.fortinet.com/tm.aspx?m=153209, I try to apply this fix:

 

config system interface   edit <name>     set preserve-session-route enable   next end

 

but I got the message

Attribute 'vdom' MUST be set.
Command fail. Return code 1

 

I didn’t set any Vdom on my fortigate so that was wierd.

 

By curiosity I try to set the Vdom attribute

 

Config Vdom   edit <vdom name>

 

Without success. ☹ So, I decided to set up Vdom in order to be able to apply the fix. My skills weren’t good enough and I didn’t have enough patience to read the Vdom cookbook. So, I messed up completely my FortiGate and nothing was working any more. Then I decided to make a factory reset. And apply all my configuration again.

And by this, now, I’m able to connect by SSL VPN and IPsec VPN to my chinese site.

I don’t know what happen in between, what the factory reset clean up but now I have my site to site VPN, my SSL VPN and my IPsec Dialup VPN working with my chinese site.

One thing I still don't get is that my VPN setting are the same in China and in France but I still cannot access my french site with IPsec dialup connection. So, I think I'll do the same factory reset to my french fortigate and reapply my configuration to see if it solve my IPsec issue.

Hi Alex,

 

Very interesting the post  you are writing. Don't forget to check also CookBooks receips (https://cookbook.fortinet.com/vpns/  and choose your FortiOS version ) and blogs - e.g. FortinetGuru 

 

About IPSEC , this is using multiple ports and protocols which all should be allowed ( re port forward from ISP in France).

 

Protocol: UDP, port 500 (for IKE, to manage encryption keys)Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode)Protocol: ESP, value 50 (for IPSEC)Protocol: AH, value 51 (for IPSEC)[/ul]

Kind regards,

Adi