Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IrbkOrrum
New Contributor III

Created on ‎11-14-2024 12:39 PM

SSLVPN on VDOM

I pressured my FortiNet rep into giving me a more fully functional trial license with some VDOMs so I could figure out how to configure VDOMs.  I've got the basic stuff configured.  I've figured out how to make the connections between the Root and the 2 VDOMs under the root.  I've figured out how to create a VIP from the root to 1 of the VDOMs for web hosing.  Now I'm trying to figure out SSLVPN.  One of my VDOMs will run SSLVPN (let's say VDOM-B).  I've followed the directions here https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-access-to-multiple-VDOMs/ta-p/2237... to tell that VDOM it's going to run on port 6443 as well as created all the rules shown in the link.  

This is all being done within EVE-NG, it's a purely secluded network, no real traffic gets in or out. 

On a system that I'm trying to 'vpn' with into FortiGate, If I try to browse to https://40.64.58.147:6443 (purely made up IP one of the great things about EVE-NG is the ability to use 'real' IPs) and I have a sniffer running, I see the traffic coming in on both the Root and VDOM-B.  However, I'm not seeing any traffic going back out and I never get a login page. 

When I check the SSL-VPN settings of VDOM-B, there is a message saying "the legacy SSL-VPN web mode feature is disabled globally.  Web mode will not be accessible in portals" so I figure 'ok, not really a site here I'll try to connect with a VPN client'.  So I get a client within EVE-NG loaded up with the FortiClient VPN ( 7.4.1.1736 if it makes any difference) and then I configured the VPN settings.  I tell it the remote gateway is 40.64.58.147, I check customize port and put in 6443.  I tell the FortiClient VPN to connect and it flashes for a second and then nothing.  I don't even think it's trying to connect.  The FortiClient logs are useless, even on debug.  They just say 'client disconnected'.  When I have a debug running on root, I don't even see a connection attempt that's being made to the FortiGate, so I think the FortiClient VPN isn't even trying to connect. 

Any ideas?  

Labels:
1053
0 Kudos
19 REPLIES 19
IrbkOrrum
New Contributor III
In response to Toshi_Esumi

Created on ‎11-14-2024 01:29 PM

https://www.eve-ng.net/
It's a very powerful tool to lab up networks from multiple vendors.  It is completely self contained, so no traffic gets in or out, which prevents you from accidently doing something that could break production.  It also allows me to create labs with lots of different 'hardware' without needing lots of physical hardware.  Unless the FortiClient is trying to 'phone home' before it makes the connection to the remote gateway, the lab environment is not the issue.  I've used this same setup before with other vendors SSLVPN client and had great success.  

I need the FortiClient to be within eve-ng because eve-ng is a completely self contained environment, so no traffic gets in or out.  The forticlient is running on a windows 2016 server as far as it's concerned, because it's a windows 2016 VM within eve-ng.  
The lab environment within Eve-NG will actually allow me to get closer to the final goal than anything else. 

518
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to IrbkOrrum

Created on ‎11-14-2024 01:34 PM

Then I would shut up since I have no experience with EVE-NG.

Toshi

507
0 Kudos
IrbkOrrum
New Contributor III
In response to Toshi_Esumi

Created on ‎11-14-2024 01:49 PM

You can ignore the fact that it's in eve-ng if you have suggestions. 

Even doing a debug on the local firewall shows me 0 traffic coming from the server, so my guess is something is bad with the forticlient.

496
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to IrbkOrrum

Created on ‎11-14-2024 02:25 PM

You reminded me.  You may need to turn this key in Windows Register Editor (I hope you are using Windows)

 

 

 

Regards,

Jerry
Preview file
36 KB
483
IrbkOrrum
New Contributor III
In response to dingjerry_FTNT

Created on ‎11-15-2024 05:41 AM Edited on ‎11-15-2024 06:10 AM

That sounds like it might be up the right alley, but I'm not seeing that registry setting under HKLM\Software\Fortinet\FortiClient\FA_VPN actually I don't see anything under that key.  Is it something that needs to be made or perhaps it's under a different folder in my version?

*****EDIT*****

I manually made the registry key. Seems like that did the trick.  The FortiClient at least tries to make the connection now. It's still not making a connection but it's at least trying.  Running a diag sniffer on the VPN side, I see any traffic bound for the IP though, syn and syn acks.

di de app sslvpn -1 gives me this
Screenshot_1.jpg 

As for the other debugs, it's a lot of screenshots.

Screenshot_2.jpg

 

Screenshot_3.jpg

 

Screenshot_4.jpg

422
0 Kudos
IrbkOrrum
New Contributor III
In response to IrbkOrrum

Created on ‎11-15-2024 06:11 AM

Further screenshots

Screenshot_5.jpgScreenshot_6.jpgScreenshot_7.jpg

415
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to IrbkOrrum

Created on ‎11-15-2024 08:32 AM

At very first, you said that you were access SSL VPN on port 6443, but in the screenshots, it is port 443, not port 6443.  I think that this is the reason why your SSL VPN did not connect.

Regards,

Jerry
390
0 Kudos
IrbkOrrum
New Contributor III
In response to dingjerry_FTNT

Created on ‎11-15-2024 08:34 AM

I'd changed to 443 earlier during troubleshooting to see if the off-port was the issue.  it's 443 now.

387
0 Kudos
vbandha
Staff
Staff

Created on ‎11-15-2024 01:48 PM

Hello @IrbkOrrum 

Regarding your query, you should be able to open the SSL VPN login page through browser even if web mode is disabled. 

That would be a good tool to use for testing. 

 

Can you show the sniffer output you were seeing in both vdoms so we know the flow you are seeing. 

 

The ssl debug you posted was showing an error code. Perhaps it is matching this:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-When-logging-in-with-SSL-VPN-the-err...

"SSL routines::unexpected eof while reading"

 

Also check the route for return traffic, if the internal VDOM has a route created to send traffic back.

You would need a default route to point to intervdom link.

 

One other test you could use is to try pinging the interface where you are trying to setup SSL VPN. Make sure you enable Ping in  Administrative Access:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Allow-ping-from-a-specific-IP-for-administ...

If the ping works then it might be some issue in VPN, if ping is failing then it maybe network connectivity issue. 

 

Regards, 

Varun

355
0 Kudos
IrbkOrrum
New Contributor III
In response to vbandha

Created on ‎11-15-2024 01:53 PM

Honestly, I've given up on the SSLVPN.  I'm not sure if the issue is because of certificates (which I really can't do anything about) or what.  So I've reset my lab to factory default and I'm now attempting via Remote access with IPSec VPN.  This I've gotten to work when I'm not trying to pass just 1 particular port.  I've just allowed all the traffic in and the IPSec VPN is working.  The thing that I need to test next is if I can have multiple people be able to use the IPSec VPN at the same time. 

348
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.