I thought I followed all instructions to the letter, but my SSLVPN-portal is not available for the outside world.
If I add the internal port to the interface-list, I can reach the portal-pages from inside the network and I'm able to log on as I should, so everything there is working.
When I try to connect from the outside world, I get an 'unreachable'. Debugging the flow on the CLI, I notice that the packet is hitting rule 0 and is therefor blocked.
My config is as follows:
config firewall policy
edit 14
set srcintf "ssl.root"
set dstintf "switch"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "Local LAN"
set action accept
set schedule "always"
set service "ALL"
set groups "SSL_VPN_USERS"
set nat enable
next
end
config firewall policy
edit 15
set srcintf "ssl.root"
set dstintf "wan1"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set groups "SSL_VPN_USERS"
set nat enable
next
end
Other rules include forwarding of HTTP, HTTPS, SSH to two servers.
I am using a FortiGate 110C with OS version 5.2.5
Any suggestions?
Thanks in advance,
Dennis
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
As i see the issue is SSL-VPN portal page shows error 'Server Unreachable' from WAN and works fine from LAN.
Device is on v5.2
Please check if you have added the WAN interface in the authentication policy, option in CLI
config vpn ssl setting
shows full-config
<---------------check for authentication-rule, interface, should included WAN
The firewall policy that you have posted above will be required for sslvpn subnet access
Regards
Anil
Below the results from the 'show full-config'
config vpn ssl settings
set reqclientcert disable
set sslv2 disable
set sslv3 enable
set tlsv1-0 enable
set tlsv1-1 enable
set tlsv1-2 enable
set ssl-big-buffer disable
set ssl-insert-empty-fragment enable
set ssl-client-renegotiation disable
set force-two-factor-auth disable
set servercert "STAR_arkro-it_nl"
set algorithm default
set idle-timeout 300
set auth-timeout 28800
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set dns-suffix ''
set dns-server1 0.0.0.0
set dns-server2 0.0.0.0
set wins-server1 0.0.0.0
set wins-server2 0.0.0.0
set ipv6-dns-server1 ::
set ipv6-dns-server2 ::
set ipv6-wins-server1 ::
set ipv6-wins-server2 ::
set route-source-interface disable
set url-obscuration disable
set http-compression disable
set http-only-cookie enable
set port 10443
set port-precedence enable
set auto-tunnel-static-route enable
set source-interface "wan1"
set source-address "all"
set source-address-negate disable
set source-address6 "all"
set source-address6-negate disable
set default-portal "web-access"
config authentication-rule
edit 1
set groups "SSL_VPN_USERS"
set portal "full-access"
set realm ''
set client-cert disable
set cipher any
set auth any
next
end
end
The odd thing that strikes me is that the traffic is blocked by the default rule. If I add the local lan to the ports to listen to (so I get the message that it listens to 192.168.1.99:10443 *and* <externalip>:10443), I can connect from the inside. So basicly everything seems to be working.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.