Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VernalCityIT
New Contributor

SSL-VPN not allowing IPv6 connections after setting to "Limit access to specific hosts"

I am attempting to limit access to our SSL-VPN to only specific IP addresses.  It works great for IPv4, but any clients on AT&T mobile internet don't work because they receive an IPv6 public IP address. 

 

Firewallsetting.jpg

 

I tried adding the public IPv6 addresses to the allowed hosts but it still will not allow the connection it just says "Unable to establish the VPN connection.  The VPN server my be unreachable"

 

For troubleshooting I added the "all" IPv6 addresses object to the allowed addresses group but it still will not allow a connection.  

 

I can't find in the logs were these blocked connections would be so that I can troubleshoot the issue.

 

My questions are:

Is there something else I need to do in the settings on the FortiGate-101F to allow these IPv6 connections?

Where would I find the logs of connections blocked by the "Limit access to specific hosts" setting?

1 Solution
Dhruvin_patel

Greetings! 

 

This is case once the user get connected with IPv6, can you share the output of 

 get vpn ssl monitor

 

The interface shouldn't accept the connection if no IPv6 address is assigned to the listening interface configured in SSL VPN settings. 

 

 

 

Dhruvin Patel

View solution in original post

7 REPLIES 7
dingjerry_FTNT

Hi @VernalCityIT ,

 

What interface on your FGT is listening SSL VPN connection? Do you have an IPv6 IP assigned to this interface?

Regards,

Jerry
VernalCityIT

It's a standard ethernet 1GBs IPv4 connection to our local ISP.  Our local ISP does not offer IPv6 addresses as far as I know.  But I would not think that would be an issue as It worked fine before I started restricting the addresses.

 

But, I could reach out to the ISP and see if they can give us an IPv6 address, if you think that would help.

dingjerry_FTNT

Hi @VernalCityIT ,

 

Do you mean, that when there was no restricted address configured, the IPv6 end-user was able to connect to SSL VPN?

 

I don't think so.  If there is no IPv6 IP assigned to the interface listening to the SSL VPN connection, the interface will not accept the IPv6 SSL VPN connection.

Regards,

Jerry
VernalCityIT

Yes when I had the setting like the image below IPv6 clients connected fine.

Firewallsetting2.jpg

 

Dhruvin_patel

Greetings! 

 

This is case once the user get connected with IPv6, can you share the output of 

 get vpn ssl monitor

 

The interface shouldn't accept the connection if no IPv6 address is assigned to the listening interface configured in SSL VPN settings. 

 

 

 

Dhruvin Patel
VernalCityIT

I don't want to post the output of that command on a public forum because it shows our ip addresses but it appears you were right.

 

Even though whatsmyip showed an IPv6 address it is connecting to the VPN using an IPv4 address that I was able to get using that command.  If I put it in the allowed IPs group I am able to connect.  

This gives me enough information to solve my problem.  

Thank you!

Dhruvin_patel

Perfect!

 

That means it is connecting with IPv4 and if you restrict that IPv4 address, it will not allow to form a sslvpn connection.

 

I'm glad you got the answer.

 

Best Regards!

Dhruvin Patel
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors