SSLVPN tunnel mode not working

t_dutkiewicz · ‎03-22-2016

Hi,

I have a problem with SSLVPN, but only with tunnel mode. I don't now why is not working. Below the settings:

SSLVPN:

config vpn ssl settings set servercert "Fortinet_Factory" set idle-timeout 1800 set tunnel-ip-pools "SSLVPN_ITP_DT" (address 10.240.240.0/24) set dns-server1 172.19.193.1 set dns-server2 8.8.8.8 set port 55443 set source-interface "wan1" set source-address "all" set source-address6 "all" set default-portal "web-access" config authentication-rule edit 1 set groups "ITP_TECHNICAL" set portal "ITP_DT" next end end

EXAMPLE POLICY FOR SSLVPN to ADDRESS 172.16.10.0/24

config firewall policy edit 52 set uuid 701cdeb4-ebad-51e5-4a6e-991f5651c53b set srcintf "ssl.root" set dstintf "VPN_Prom" set srcaddr "SSLVPN_ITP_DT" set dstaddr "PROM" (172.16.10.0/24) set action accept set schedule "always" set service "ALL" set logtraffic disable set groups "ITP_TECHNICAL" set nat enable set ippool enable set poolname "fortigate" - NAT TO LOCAL ADDRESS FORTIGATE 172.19.192.1 next end

Below diagnose flow tracing:

diagnose debug flow filter daddr 172.16.10.100

fg # id=20085 trace_id=576 func=print_pkt_detail line=4471 msg="vd-root received a packet(proto=1, 10.240.240.1:1->172.16.10.100:8) from ssl.root. code=8, type=0, id=1, seq=362." id=20085 trace_id=576 func=init_ip_session_common line=4622 msg="allocate a new session-01144722" id=20085 trace_id=576 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.16.10.100 via VPN_Promag" id=20085 trace_id=576 func=fw_forward_handler line=675 msg="Allowed by Policy-52: SNAT" id=20085 trace_id=576 func=__ip_session_run_tuple line=2599 msg="SNAT 10.240.240.1->172.19.192.1:62464" id=20085 trace_id=576 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec interface-VPN_Prom" id=20085 trace_id=576 func=esp_output4 line=897 msg="encrypting, and send to PUBLIC_IP_DEST with source PUBLIC_IP" id=20085 trace_id=576 func=ipsec_output_finish line=232 msg="send to PUBLIC_IP via intf-wan1"

Of course form fortigate i get correct route to this network:

0.0.0.0 0.0.0.0 172.19.192.1 172.19.192.121 10 10.9.101.0 255.255.255.0 10.240.240.2 10.240.240.1 10 10.21.0.0 255.255.254.0 10.240.240.2 10.240.240.1 10 10.240.240.1 255.255.255.255 On-link 10.240.240.1 266 91.238.62.118 255.255.255.255 172.19.192.1 172.19.192.121 10 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 172.16.10.0 255.255.255.0 10.240.240.2 10.240.240.1 10 172.16.50.0 255.255.255.0 On-link 172.16.50.130 266 172.16.50.130 255.255.255.255 On-link 172.16.50.130 266 172.16.50.255 255.255.255.255 On-link 172.16.50.130 266 172.19.192.0 255.255.252.0 On-link 172.19.192.121 266 172.19.192.0 255.255.252.0 10.240.240.2 10.240.240.1 10 172.19.192.121 255.255.255.255 On-link 172.19.192.121 266 172.19.195.255 255.255.255.255 On-link 172.19.192.121 266 172.19.196.0 255.255.254.0 10.240.240.2 10.240.240.1 10 172.21.10.0 255.255.254.0 10.240.240.2 10.240.240.1 10 172.21.12.0 255.255.254.0 10.240.240.2 10.240.240.1 10 192.168.0.0 255.255.255.0 10.240.240.2 10.240.240.1 10 192.168.0.51 255.255.255.255 10.240.240.2 10.240.240.1 10 192.168.135.0 255.255.255.0 On-link 192.168.135.1 276 192.168.135.1 255.255.255.255 On-link 192.168.135.1 276 192.168.135.255 255.255.255.255 On-link 192.168.135.1 276 192.168.200.50 255.255.255.255 10.240.240.2 10.240.240.1 10 192.168.240.0 255.255.255.0 10.240.240.2 10.240.240.1 10 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.135.1 276 224.0.0.0 240.0.0.0 On-link 172.19.192.121 266 224.0.0.0 240.0.0.0 On-link 172.16.50.130 266 224.0.0.0 240.0.0.0 On-link 10.240.240.1 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.135.1 276 255.255.255.255 255.255.255.255 On-link 172.19.192.121 266 255.255.255.255 255.255.255.255 On-link 172.16.50.130 266

The problem with the tunnel mode occurs using both split tunnel, and without it.

Nils · ‎03-22-2016

So the portal "ITP_DT" is the "tunnel all" portal?

Are you going to tunnel all traffic? Otherwise you have to use "Split Tunnel".

At the moment youre tunneling all traffic but only traffic to 172.16.10.0/24 will work. If you dont have another policy accepting the other traffic.

t_dutkiewicz · ‎03-22-2016

Yes the portal ITP_DT has tunnel all portal. I check also without split tunnel(all traffic via SSLVPN) and on portal page everythink is working.

Using tunnel mode nothing.

Below seetings without split tunnel:

### PORTAL ITP_DT

config vpn ssl web portal edit "ITP_DT" set tunnel-mode enable set web-mode enable set ip-pools "SSLVPN_ITP_DT" set split-tunneling disable config bookmark-group edit "APLIKACJE" config bookmarks edit "ftp" set apptype ftp set folder "ftp" set sso auto next end next end set display-history-limit 20 set page-layout double-column set theme darkgrey next end

##POLICY FOR SSLVPN(ALL TRAFFIC)

config firewall policy edit 46 set uuid 8bdab610-f014-51e5-cb76-ebebf0308ef3 set srcintf "ssl.root" set dstintf "wan1" set srcaddr "SSLVPN_ITP_DT" set dstaddr "all" set action accept set schedule "always" set service "ALL" set groups "ITP_TECHNICAL" set nat enable next end

#example diagnose flow to google ping 8.8.8.8

fg # id=20085 trace_id=577 func=print_pkt_detail line=4471 msg="vd-root received a packet(proto=1, 10.240.240.1:1->8.8.8.8:8) from ssl.root. code=8, type=0, id=1, seq=363." id=20085 trace_id=577 func=init_ip_session_common line=4622 msg="allocate a new session-0115597f" id=20085 trace_id=577 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-91.238.62.117 via wan1" id=20085 trace_id=577 func=fw_forward_handler line=675 msg="Allowed by Policy-46: SNAT" id=20085 trace_id=577 func=__ip_session_run_tuple line=2599 msg="SNAT 10.240.240.1->91.238.62.118:62464" id=20085 trace_id=578 func=print_pkt_detail line=4471 msg="vd-root received a packet(proto=1, 10.240.240.1:1->8.8.8.8:8) from ssl.root. code=8, type=0, id=1, seq=364." id=20085 trace_id=578 func=resolve_ip_tuple_fast line=4532 msg="Find an existing session, id-0115597f, original direction" id=20085 trace_id=578 func=ipv4_fast_cb line=50 msg="enter fast path" id=20085 trace_id=578 func=ip_session_run_all_tuple line=5641 msg="SNAT 10.240.240.1->91.238.62.118:62464"

from host vpnclient: 10.240.240.1

Pinging 8.8.8.8 with 32 bytes of data: Request timed out.

Ping statistics for 8.8.8.8: Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

routing on host:

Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 172.19.192.1 172.19.192.121 4235 0.0.0.0 0.0.0.0 On-link 10.240.240.1 11

The same ping on portal:

rwpatterson · ‎03-22-2016

Besides the policy, do you have a static route back to the SSL subnet with a lower distance than the default? Equal distance will fail.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

t_dutkiewicz · ‎03-22-2016

Yes i have route static to the SSLVPN:

S 10.240.240.0/24 [5/0] is directly connected, ssl.root - > distance 5

Bellow routing info:

S* 0.0.0.0/0 [10/0] via 91.238.62.117, wan1 S 5.152.161.240/32 [5/0] via 91.238.62.61, wan2 C 10.3.0.0/24 is directly connected, SCSI_VLAN120 S 10.9.101.0/24 [10/0] via 172.19.193.30, LAN S 10.21.0.0/23 [10/0] is directly connected, VPN_Concordia S 10.68.3.110/32 [5/0] is directly connected, VPN_IMPERIAL S 10.68.3.210/32 [5/0] is directly connected, VPN_IMPERIAL C 10.68.97.64/32 is directly connected, IMPERIAL_INT S 10.240.240.0/24 [5/0] is directly connected, ssl.root C 91.238.62.60/30 is directly connected, wan2 C 91.238.62.116/30 is directly connected, wan1 S 91.240.93.96/32 [5/0] via 91.238.62.61, wan2 S 172.16.10.0/24 [10/0] is directly connected, VPN_Promag C 172.19.192.0/22 is directly connected, LAN S 172.19.196.0/23 [10/0] is directly connected, VPN_Sinersio S 172.21.10.0/23 [10/0] is directly connected, VPN_Concordia S 172.21.12.0/23 [10/0] is directly connected, VPN_Concordia S 192.168.0.0/24 [8/0] is directly connected, VPN_Concordia S 192.168.0.51/32 [5/0] is directly connected, VPN_PBG S 192.168.1.0/24 [10/0] via 172.19.192.201, LAN C 192.168.10.0/26 is directly connected, VOIP C 192.168.20.0/26 is directly connected, WIFI_GUEST S 192.168.200.50/32 [5/0] is directly connected, VPN_PBG S 192.168.240.0/24 [10/0] is directly connected, VPN_Concordia S 194.181.119.138/32 [1/0] via 91.238.62.117, wan1 S 212.77.100.101/32 [1/0] via 91.238.62.61, wan2

rwpatterson · ‎03-22-2016

In the picture you provided, the tunnel state is disconnected...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

t_dutkiewicz · ‎03-22-2016

i test tunnel mode using forticlient and browser. on picture i put only ping without tunnel mode.

Bellow i put again picture with tunnel mode(browser), and you can see i cannot ping 8.8.8.8

SSLVPN tunnel mode not working

Nominate a Forum Post for Knowledge Article Creation