Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Drkrieger
New Contributor

Issues seeing remote computers through SSL VPN

Hello! I am experimenting with an older Fortigate 60B (running FortiOS 4.0 MR3, Patch 15) that my boss gave me and I' m trying to learn how to setup an SSL VPN. I found a few videos on how to configure the unit to do web filtering for remote clients and adjusted to configuration to provide VPN access to the internal network. Basically, I' m trying to use the SSL VPN to gain file share access on my home network for remote computers. I have been able to configure the VPN so that I was able to log in using the Forticlient (version 5.2), but I' m not able to ping or file share (SMB/CIFS) even though it is enabled in the portal. Here' s how I have it configured: 1. Set up the user accounts (the internal network is a workgroup, no AD) 2. Created user group, set VPN Access to ' full-access' 3. Adjusted SSLVPN_TUNNEL_ADDR1 to a range other than default (FW Objects) 4. Created address range for my internal network (FW Objects) 5. Under VPN->SSL->Config, added SSLVPN_TUNNEL_ADDR1 to IP Pools 6. Under VPN->SSL->Portal, made sure all applications were checked (settings) 7. Added the adjusted IP range for the SSLVPN address range to Static Routes attached to device: ssl.root 8. Created Policy for WAN1->SSL.ROOT, Allowed all source addresses, destination addresses are SSLVPN range, action as SSL-VPN, added user group with all services allowed 9. Created Policy for SSL.ROOT->Internal, SSLVPN address range source, Internal home network range as destination, service any, Action allowed, NAT Enabled (also tried with this disabled, still no go) I have no issues connecting to the VPN, that goes smoothly. I am unable to ping or directly look at any machines file shares (using Windows explorer and typing \\<ip address> of machine). Is there a step I may have missed? Or a setting I need to adjust? I can provide screenshots of my policies if required. Thanks in advance!
13 REPLIES 13
Carl_Wallmark
Valued Contributor

Hi, and welcome to the forum, Try to sniff the traffic while pinging a computer in the CLI: diag sni pack ssl.root icmp 4 This will show if the traffic even gets to the firewall. Are you sure that FortiClient 5.2 is compatible with 4.3.15 ?

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

Drkrieger
New Contributor

When I sniffed it, this was what came up: I' m confused by the error about the no IPv4 Address assigned. I thought that was the static route I created for the ssl.root?
Carl_Wallmark
Valued Contributor

Yes but that looks ok, the ssl.root dont have an IP adress. But you should see alot of icmp if you are pinging.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

Drkrieger
New Contributor

I' m seeing nothing at all. I ran a ping -t to one of the machine on the internal network through the VPN and it keeps timing out. I did get an interesting response on one of the pings though, check it out: That IP doesn' t exist on either of my networks (the remote, or the internal).
Drkrieger
New Contributor

I gave up and created an IPSec VPN. Works like a charm. Thanks for the assist Selective ;)
oheigl
Contributor II

Hello Drkrieger, this step is not complete:
8. Created Policy for WAN1->SSL.ROOT, Allowed all source addresses, destination addresses are SSLVPN range, action as SSL-VPN, added user group with all services allowed
You need to add the internal network as destination address object too. The destination addresses you enter in the policy with action SSL-VPN are propagated to the routing table of the virtual ssl-vpn adapter of the client. Hope that helps, Oliver
rwpatterson
Valued Contributor III

ORIGINAL: oheigl Hello Drkrieger, this step is not complete:
8. Created Policy for WAN1->SSL.ROOT, Allowed all source addresses, destination addresses are SSLVPN range, action as SSL-VPN, added user group with all services allowed
You need to add the internal network as destination address object too. The destination addresses you enter in the policy with action SSL-VPN are propagated to the routing table of the virtual ssl-vpn adapter of the client. Hope that helps, Oliver
Actually, step 9 covers the internal entities. In step 8 though, the destination should not be the SSL VPN IP addresses, rather it should be the destination hosts that you' re trying to reach from the outside. One missing step is the static route back to the SSL VPN interface with a distance lower than that of the default gateway.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Drkrieger

Actually, step 9 covers the internal entities. In step 8 though, the destination should not be the SSL VPN IP addresses, rather it should be the destination hosts that you' re trying to reach from the outside.
So if I change the ' Destination Address' under the Destination Interface/Zone to the address range of my internal network, in theory it should be able to see it? Like this: Also, I' m not sure how to do this:
One missing step is the static route back to the SSL VPN interface with a distance lower than that of the default gateway.
I' m guessing that I would add in an item into the Router->Static->Static Route menu, but what exactly would I put in? I' ve already got the IP Range for the SSL VPN users linked to the ssl.root, not sure if that was all that is needed. Edit: I' ll get a Route Print up shortly
rwpatterson
Valued Contributor III

ORIGINAL: Drkrieger I' m guessing that I would add in an item into the Router->Static->Static Route menu, but what exactly would I put in? I' ve already got the IP Range for the SSL VPN users linked to the ssl.root, not sure if that was all that is needed.
That' s all you should need in the routing area.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com