Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ForgetItNet
Contributor

Using Fortinet 60F as SSL Client not dialling up

Hi all,

 

Someone kindly gave me a link to a guide to setup a 60F router as an SSL VPN client to connect to a 100F at our head office (we can't use IPSEC on this location)

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/508779/fortigate-as-ssl-vpn-client

I've followed the guide and gone through it many times but it's not working.

On the Head Office 100F (the server) I can see VPN logs for "SSL exit error" that come from the IP address of the 60F (the client) so I know it's doing something but that's all that is in there. From what I gather this is a test to make sure the client can see and communicate with the server and it then "should" dial up and connect but that's all I'm getting from the logs on the server router.

On the client (60F) all I'm getting is "Link Monitor: Interface SSL Interface was turned down"

If i enable debug on the client then it displays nothing but on the server i get:

SSL State: fatal certificate unknown (ip of the client)

SSL state:error:(null) (ip of the client)

SSL_accept failed, 1:sslv3 alert certificate unknown

I exported the cert and private key from the server and imported it onto the client and selected that in the SSL settings but is that right ?

Thanks in advance.

4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hello,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Regards,

Anthony-Fortinet Community Team.
Markus_M
Staff
Staff

Hi ForgetItNet,

 

This is very likely an SSL/TLS error. To be sure, that is an encrypted tunnel that has to be established prior sending any data through it (like authentication etc. and whatever follows).

TLS can be established with different criterion, but one node receives a certificate from the other node and has to verify it.

More information here:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-TLS-and-the-use-of-Digital-Certificates/ta...

The FortiGate is sending a server certificate to the client and the client has to have the signing certificate  to verify the server certificate. If the certificate chain is longer, all the public keys are to be presented.

 

Special note:

The private key NEVER has to be imported anywhere but the identifying node (webserver).

 

If the client is sending a certificate to the FortiGate for the configuration was set up that way, the same goes, the FortiGate has to verify what the client sends with the certificate that issued the client certificate.

valid chain:

client/server cert > Intermediate CA > Root CA

Example cases:

- client/server sends the cert, the other node needs to have the intermediate and root CA cert (public key only required).

- client/server sends the cert and intermediate, the other node needs to have the root CA cert (public key only required).

- client/server sends the cert, intermediate and root, the other node needs to have the root CA cert (public key only required).

 

If the client sends a cert AND the server sends its cert, likewise server AND client both need to verify what the other node sends.

 

Best regards,

 

Markus

ForgetItNet

Thanks Markus, I've managed to resolve this by creating a new PKI user and setting the CA on both sides and this has worked so all good. The only thing I'm having trouble with now is that the client side can see and browse the server side network fine but I can't ping or connect to the client side router from the server router ? I'm "assuming" I should be able to do this as I can ping laptops that connect to the SSL VPN using the software program but just not when the SSL VPN is established through the router ? Ping is enabled on all the interfaces on the client router and I've added firewall rules to allow everything ? This is not a major issue as such but we'd like to be able to manage these routers through the SSL VPN the same way we do the one's going through the IPSEC vpns ?

Sam333
New Contributor II

Hi ForgetItNet,

you are having the same problem I am having now please help me how did you solve this problem? which pki certificate did you use. can you help me how to do it?
thank you in advance

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors