Issues seeing remote computers through SSL VPN

Author
Drkrieger
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/02 11:16:22
  • Status: offline
2014/07/02 11:36:40 (permalink)
0

Issues seeing remote computers through SSL VPN

Hello!

I am experimenting with an older Fortigate 60B (running FortiOS 4.0 MR3, Patch 15) that my boss gave me and I' m trying to learn how to setup an SSL VPN. I found a few videos on how to configure the unit to do web filtering for remote clients and adjusted to configuration to provide VPN access to the internal network.
Basically, I' m trying to use the SSL VPN to gain file share access on my home network for remote computers. I have been able to configure the VPN so that I was able to log in using the Forticlient (version 5.2), but I' m not able to ping or file share (SMB/CIFS) even though it is enabled in the portal.
Here' s how I have it configured:

1. Set up the user accounts (the internal network is a workgroup, no AD)
2. Created user group, set VPN Access to ' full-access'
3. Adjusted SSLVPN_TUNNEL_ADDR1 to a range other than default (FW Objects)
4. Created address range for my internal network (FW Objects)
5. Under VPN->SSL->Config, added SSLVPN_TUNNEL_ADDR1 to IP Pools
6. Under VPN->SSL->Portal, made sure all applications were checked (settings)
7. Added the adjusted IP range for the SSLVPN address range to Static Routes attached to device: ssl.root
8. Created Policy for WAN1->SSL.ROOT, Allowed all source addresses, destination addresses are SSLVPN range, action as SSL-VPN, added user group with all services allowed
9. Created Policy for SSL.ROOT->Internal, SSLVPN address range source, Internal home network range as destination, service any, Action allowed, NAT Enabled (also tried with this disabled, still no go)

I have no issues connecting to the VPN, that goes smoothly. I am unable to ping or directly look at any machines file shares (using Windows explorer and typing \\<ip address> of machine).

Is there a step I may have missed? Or a setting I need to adjust?
I can provide screenshots of my policies if required.

Thanks in advance!

#1

12 Replies Related Threads

    Selective
    Expert Member
    • Total Posts : 2744
    • Scores: 117
    • Reward points: 0
    • Joined: 2007/07/03 10:44:56
    • Location: Gothenburg - Sweden
    • Status: offline
    RE: Issues seeing remote computers through SSL VPN 2014/07/02 12:15:42 (permalink)
    0
    Hi, and welcome to the forum,

    Try to sniff the traffic while pinging a computer in the CLI:

    diag sni pack ssl.root icmp 4

    This will show if the traffic even gets to the firewall.

    Are you sure that FortiClient 5.2 is compatible with 4.3.15 ?
    #2
    Drkrieger
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/02 11:16:22
    • Status: offline
    RE: Issues seeing remote computers through SSL VPN 2014/07/02 12:29:15 (permalink)
    0
    When I sniffed it, this was what came up:



    I' m confused by the error about the no IPv4 Address assigned. I thought that was the static route I created for the ssl.root?
    < Message edited by drkrieger -- 7/2/2014 12:30:23 PM >
    #3
    Selective
    Expert Member
    • Total Posts : 2744
    • Scores: 117
    • Reward points: 0
    • Joined: 2007/07/03 10:44:56
    • Location: Gothenburg - Sweden
    • Status: offline
    RE: Issues seeing remote computers through SSL VPN 2014/07/02 12:31:44 (permalink)
    0
    Yes but that looks ok, the ssl.root dont have an IP adress.

    But you should see alot of icmp if you are pinging.
    < Message edited by Selective -- 7/2/2014 12:31:58 PM >
    #4
    Drkrieger
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/02 11:16:22
    • Status: offline
    RE: Issues seeing remote computers through SSL VPN 2014/07/02 12:44:53 (permalink)
    0
    I' m seeing nothing at all. I ran a ping -t to one of the machine on the internal network through the VPN and it keeps timing out. I did get an interesting response on one of the pings though, check it out:



    That IP doesn' t exist on either of my networks (the remote, or the internal).
    < Message edited by drkrieger -- 7/2/2014 12:45:18 PM >
    #5
    Drkrieger
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/02 11:16:22
    • Status: offline
    RE: Issues seeing remote computers through SSL VPN 2014/07/02 14:34:18 (permalink)
    0
    I gave up and created an IPSec VPN. Works like a charm.
    Thanks for the assist Selective ;)
    #6
    oheigl
    Gold Member
    • Total Posts : 265
    • Scores: 12
    • Reward points: 0
    • Joined: 2010/02/18 04:27:05
    • Location: Austria
    • Status: offline
    RE: Issues seeing remote computers through SSL VPN 2014/07/03 05:59:45 (permalink)
    0
    Hello Drkrieger,

    this step is not complete:

    8. Created Policy for WAN1->SSL.ROOT, Allowed all source addresses, destination addresses are SSLVPN range, action as SSL-VPN, added user group with all services allowed


    You need to add the internal network as destination address object too. The destination addresses you enter in the policy with action SSL-VPN are propagated to the routing table of the virtual ssl-vpn adapter of the client.

    Hope that helps,
    Oliver
    #7
    rwpatterson
    Expert Member
    • Total Posts : 8427
    • Scores: 197
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    RE: Issues seeing remote computers through SSL VPN 2014/07/03 06:04:49 (permalink)
    0

    ORIGINAL: oheigl

    Hello Drkrieger,

    this step is not complete:

    8. Created Policy for WAN1->SSL.ROOT, Allowed all source addresses, destination addresses are SSLVPN range, action as SSL-VPN, added user group with all services allowed


    You need to add the internal network as destination address object too. The destination addresses you enter in the policy with action SSL-VPN are propagated to the routing table of the virtual ssl-vpn adapter of the client.

    Hope that helps,
    Oliver

    Actually, step 9 covers the internal entities. In step 8 though, the destination should not be the SSL VPN IP addresses, rather it should be the destination hosts that you' re trying to reach from the outside. One missing step is the static route back to the SSL VPN interface with a distance lower than that of the default gateway.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #8
    oheigl
    Gold Member
    • Total Posts : 265
    • Scores: 12
    • Reward points: 0
    • Joined: 2010/02/18 04:27:05
    • Location: Austria
    • Status: offline
    RE: Issues seeing remote computers through SSL VPN 2014/07/03 06:12:14 (permalink)
    0
    Hello Bob,

    the problem is he is using split tunnel, so he must configure the internal network also in the SSL-VPN rule, otherwise the client doesn' t know where to send this packets, and just sends them to his local gateway on the client network.

    If he would send us a route print output of the client while connected, we would see exactly this issue.

    Kind regards,
    Oliver
    #9
    Drkrieger
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/02 11:16:22
    • Status: offline
    RE: Issues seeing remote computers through SSL VPN 2014/07/03 08:11:19 (permalink)
    0

    Actually, step 9 covers the internal entities. In step 8 though, the destination should not be the SSL VPN IP addresses, rather it should be the destination hosts that you' re trying to reach from the outside.


    So if I change the ' Destination Address' under the Destination Interface/Zone to the address range of my internal network, in theory it should be able to see it? Like this:



    Also, I' m not sure how to do this:

    One missing step is the static route back to the SSL VPN interface with a distance lower than that of the default gateway.


    I' m guessing that I would add in an item into the Router->Static->Static Route menu, but what exactly would I put in? I' ve already got the IP Range for the SSL VPN users linked to the ssl.root, not sure if that was all that is needed.


    Edit: I' ll get a Route Print up shortly
    < Message edited by drkrieger -- 7/3/2014 8:16:26 AM >
    #10
    rwpatterson
    Expert Member
    • Total Posts : 8427
    • Scores: 197
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    RE: Issues seeing remote computers through SSL VPN 2014/07/03 08:17:42 (permalink)
    0
    ORIGINAL: Drkrieger
    I' m guessing that I would add in an item into the Router->Static->Static Route menu, but what exactly would I put in? I' ve already got the IP Range for the SSL VPN users linked to the ssl.root, not sure if that was all that is needed.

    That' s all you should need in the routing area.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #11
    Drkrieger
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/02 11:16:22
    • Status: offline
    RE: Issues seeing remote computers through SSL VPN 2014/07/03 08:28:22 (permalink)
    0
    Well, still no go on the SSL. Here' s a route print.



    The 108.173.119.107 is the destination, but the gateway is wrong. It' s using my current gateway (on the machine running the Forticlient). Should it not be pointing to the gateway on the home internal network?
    #12
    Drkrieger
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/02 11:16:22
    • Status: offline
    RE: Issues seeing remote computers through SSL VPN 2014/07/03 09:14:28 (permalink)
    0
    I appear to have resolved the issue!

    I added a policy to allow Internal->SSL.Root. Once I did this, everything worked!

    Thank you all for the assistance, it was really appreciated :)
    #13
    Jump to:
    © 2020 APG vNext Commercial Version 5.5