Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IrbkOrrum
Contributor

SSLVPN on VDOM

I pressured my FortiNet rep into giving me a more fully functional trial license with some VDOMs so I could figure out how to configure VDOMs.  I've got the basic stuff configured.  I've figured out how to make the connections between the Root and the 2 VDOMs under the root.  I've figured out how to create a VIP from the root to 1 of the VDOMs for web hosing.  Now I'm trying to figure out SSLVPN.  One of my VDOMs will run SSLVPN (let's say VDOM-B).  I've followed the directions here https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-access-to-multiple-VDOMs/ta-p/2237... to tell that VDOM it's going to run on port 6443 as well as created all the rules shown in the link.  

This is all being done within EVE-NG, it's a purely secluded network, no real traffic gets in or out. 

On a system that I'm trying to 'vpn' with into FortiGate, If I try to browse to https://40.64.58.147:6443 (purely made up IP one of the great things about EVE-NG is the ability to use 'real' IPs) and I have a sniffer running, I see the traffic coming in on both the Root and VDOM-B.  However, I'm not seeing any traffic going back out and I never get a login page. 

When I check the SSL-VPN settings of VDOM-B, there is a message saying "the legacy SSL-VPN web mode feature is disabled globally.  Web mode will not be accessible in portals" so I figure 'ok, not really a site here I'll try to connect with a VPN client'.  So I get a client within EVE-NG loaded up with the FortiClient VPN ( 7.4.1.1736 if it makes any difference) and then I configured the VPN settings.  I tell it the remote gateway is 40.64.58.147, I check customize port and put in 6443.  I tell the FortiClient VPN to connect and it flashes for a second and then nothing.  I don't even think it's trying to connect.  The FortiClient logs are useless, even on debug.  They just say 'client disconnected'.  When I have a debug running on root, I don't even see a connection attempt that's being made to the FortiGate, so I think the FortiClient VPN isn't even trying to connect. 

Any ideas?  

19 REPLIES 19
dingjerry_FTNT

Hi @IrbkOrrum ,

 

1) By default, FGT has 10 VDOMs for you to use.

2) Info is not clear:  

 

When FortiClient connects to that 40.64.58.147 IP, where is it?  Is it in VDOM-B?  Will the traffic flow pass through the root VDOM?

 

3)  Please capture debug outputs with the following in VDOM-B if 40.64.58.147 IP is in it:

 

diag debug application sslvpn -1

di de enable

 

Then please replicate the issue to get some outputs.

 

4) Then please run the following commands again to get more debug outputs:

 

diag debug application sslvpn 0

diag debug disable

diag debug flow show iprope enable

diag debug flow filter port 6443

diag debug flow trace start 1000

diag debug enable

 

Then please replicate this issue to get the outputs.

Regards,

Jerry
IrbkOrrum

1) No, in the perpetual trial license you only get 2 vdoms, 1 traffic vdom and 1 management vdom.  In the more fully functional 2 month license fortinet gave me, there still was only 2 vdoms.  They had to give me a license for 5 VDOMs before I was able to start configuring anything.

 

2) "Root" vdom is where all 'physical' interfaces are plugged in.  All traffic must run through the Root VDOM.

 

3) As it is EVE-NG, I cannot copy and paste.  One of the downfalls of Eve-NG is the inability to copy/paste into our out of.  I can supply screenshots but I can save you the trouble.  There is nothing shown when the FortiClient attempts to connect.  I'm fairly sure that FortiClient isn't even making the connection.  I'm not sure if perhaps FortiClient needs to "phone home" to fortinet before it will make any kind of connection attempt and he has no 'real' internet access so he can not do any kind of 'phone home'.

 

 

IrbkOrrum
Contributor

Ok, well true to fortinet fashion, it seems the https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-access-to-multiple-VDOMs/ta-p/2237... sort of left out the part about creating the firewall rule on the VDOM-B as well, they just told you to create the firewall rule on the Root.  So I'm at least able to hit a webpage now (after I set 'sslvpn-web-mode enabled' under the global VDOM). But the forticlient still doesn't look like it even tries to connect.

dingjerry_FTNT

In the KB article, in the "Setup SSL-VPN on each internal VDOM" section, it is said:

Create the SSL-VPN policy accordingly.

 

If it still does not connect, please run the commands and steps I provided.

Regards,

Jerry
dingjerry_FTNT

Or at least please attach the FGT config

Regards,

Jerry
IrbkOrrum

Again, as this is eve-ng, I cannot copy/paste configuration nor copy/paste any file into or out of the system.

IrbkOrrum

I'm sorry, I likely missed that.  Since it is a step by step guide one would not expect that it would glance over a fairly major step. Especially when it's someone of a special setup, using the SSL-VPN tunnel interface as an incoming interface.

 

As stated, there is nothing shown in the debug as I am fairly sure that FortiClient isn't even trying.

dingjerry_FTNT

I think I now may understand your scenario better:

 

Is it the traffic flow like this:

FCT to hit the 40.64.58.147 IP in the root VDOM, and you have one VIP configured in the root VDOM for 40.64.58.147 IP pointing to VDOM-B inter-VDOM link for SSL VPN connection.

 

If so, please run the debug flow or sniffer packet on port 6443 in the root VDOM.  Maybe the sniffer packet is enough, I want to see the traffic flow first:

 

diag sniffer packet any 'port 6443' 4 

Regards,

Jerry
Toshi_Esumi

VDOMs are basically independent routers/FWs, including root vdom. If VDOM-B is accessible from outside only through root VDOM, of course you have to a pair of policies to pass the traffic through.
But why do you need to have the FortiClient VPN inside of your EVE-NG environment? Although I have no idea what EVE-NG is and how it would work, I think the problem is coming from the environment the FortiClient was installed. Why can't you set up another simple Windows or MAC machine to have the client then just connect to your server environment network-wise? That's more closer to your final goal.

Toshi

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors