Hot!Change VPN SSL interface

Author
marcelo_malara
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/09/10 18:26:04
  • Status: offline
2017/03/03 06:59:29 (permalink)
0

Change VPN SSL interface

Hi guys.
 
I have two Fortinets 80C in cluster. I configured the VPN SSL access some time ago on WAN1, it worked fine. Now I need to move the VPN SSL to WAN2, changed in VPN->SSL->Settings ->Listen on interface from WAN1 to WAN2, port 10443, but neither the client not the web page works. The client stops at 10%. It seems the port 10443 is not listening. Restarted the VPN SSL Daemon to no effect, rebooted both nodes to no effect.
 
Is something more I have to change?
 
Regards
 
 
 
 
 
#1

12 Replies Related Threads

    rkulow
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/01/19 05:04:37
    • Status: offline
    Re: Change VPN SSL interface 2017/03/03 07:32:56 (permalink)
    0
    via cli go to:
     
    config vpn ssl settings
    config authentication-rule
    edit 1
    unset source interface (or set source interface to new interface)
    next
    end
    #2
    marcelo_malara
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/09/10 18:26:04
    • Status: offline
    Re: Change VPN SSL interface 2017/03/03 07:51:28 (permalink)
    0
    Thanks, still no working. True that both auth rule had the old interface, this is a get after I changed to the new:
     
    FGT80C3911606514 (authentication-rule) # get 1
     
    id                  : 1
    source-interface:
        == [ wan2 ]
        name: wan2
    source-address:
        == [ all ]
        name: all
    source-address-negate: disable 
    source-address6:
    source-address6-negate: disable 
    users:
    groups:
        == [ Grupo de usuarios para VPN SSL ]
        name: Grupo de usuarios para VPN SSL
    portal              : RDP por VPN 
    realm               : 
    client-cert         : disable 
    cipher              : any 
    auth                : any 
    #3
    rkulow
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/01/19 05:04:37
    • Status: offline
    Re: Change VPN SSL interface 2017/03/06 01:18:40 (permalink)
    0
    did you tried to unset source-interface?
    #4
    ede_pfau
    Expert Member
    • Total Posts : 5127
    • Scores: 318
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Change VPN SSL interface 2017/03/06 02:38:59 (permalink)
    0
    The interface listened on is set outside the auth rules section:
    config vpn ssl settings
        set port 443
        set source-interface "wan1"
        ...
    This is in FOS v5.2.9

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #5
    Nils
    Silver Member
    • Total Posts : 89
    • Scores: 8
    • Reward points: 0
    • Joined: 2016/01/26 00:04:58
    • Location: Sweden
    • Status: offline
    Re: Change VPN SSL interface 2017/03/06 03:32:25 (permalink)
    0
    Did you change the policys that the SSLVPN interface uses as well?
     
    #6
    marcelo_malara
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/09/10 18:26:04
    • Status: offline
    Re: Change VPN SSL interface 2017/03/06 05:19:33 (permalink)
    0
    Hi guys.
     
    "The interface listened on is set outside the auth rules section"
    source-interface:
     
    --More--              == [ wan2 ]
    --More--              name: wan2
    #7
    marcelo_malara
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/09/10 18:26:04
    • Status: offline
    Re: Change VPN SSL interface 2017/03/06 05:29:07 (permalink)
    0
    "Did you change the policys that the SSLVPN interface uses as well?"
     
    Sorry, what do you mean? The only policies are from the ssl.root interface.
     
    #8
    Nils
    Silver Member
    • Total Posts : 89
    • Scores: 8
    • Reward points: 0
    • Joined: 2016/01/26 00:04:58
    • Location: Sweden
    • Status: offline
    Re: Change VPN SSL interface 2017/03/06 07:20:25 (permalink)
    0
    Oh sorry, yeah in the new versions you dont use the external interface in the policy.
    Do you have any VIP that uses port 443 on WAN2?
     
    #9
    marcelo_malara
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/09/10 18:26:04
    • Status: offline
    Re: Change VPN SSL interface 2017/03/06 07:41:17 (permalink)
    0
    Actually I am using port 10443 for the VPN.
    #10
    marcelo_malara
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/09/10 18:26:04
    • Status: offline
    Re: Change VPN SSL interface 2017/03/08 15:02:23 (permalink)
    0
    Hi guys, for anyone interested, I manage to partially solve this. The issue is that if I choose the port 10443 the is no command:
     
    set port 10443
     
    ...visible in a backup file, whereas if in the VPN config I choose port 10444, I can find the command and the VPN works ok.
    #11
    Dirty_Wizard_FTNT
    New Member
    • Total Posts : 11
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/05/23 07:32:52
    • Status: offline
    Re: Change VPN SSL interface 2017/03/08 17:32:14 (permalink)
    0
    It is not showing in the config file because 10443 is the default port.
     
    You should debug flow the traffic.
     
    You may have 10443 used elsewhere like a VIP.
     
    Grep for it in the whole config:
     
    show full-configuration | grep -f 10443
    #12
    marcelo_malara
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/09/10 18:26:04
    • Status: offline
    Re: Change VPN SSL interface 2017/03/10 15:18:43 (permalink)
    0
    Nothing shown with that command.
     
    Regards
     
    #13
    Jump to:
    © 2017 APG vNext Commercial Version 5.5