MODEM openvpn behin Fortigate 100D Forti OS 5.6 GA

waaalex · ‎06-29-2017

Hello, We've got an issue with a modem behind our firewall. It can't connect with openvpn to remote server. The modem is working, we have done tests in my home. It have a rule for it, with no filter, no security profile. In forward traffic, i can see that it sent requests (HTTPS, UDP 1194 openvpn) But there is no response from remote server. Nat enabled and disable >> same issue I have a port mirroring with wireshark, requests are sent but no responses. Can you help me to connect this modem?

It worked few month ago, last changes are just update from 5.4 to 5.6.

Thanks.

emnoc · ‎06-29-2017

1>

the cli diag debug flow is your friend, I would run it and validate the requests are not being drop

e.g

diag debug reset

diag debug enable

diag debug flow filter dport 1194

diag debug flow show console enable

diag debug flow trace start 20

run the client. A> does a fwpolicy match B> is it drop/accept

After diagnostic

diag debug disable

diag debug reset

2> ensure the openvpn 1194 is functional at the remote -server ( use a openvpn client directly )

PCNSE

NSE

StrongSwan

EMES · ‎06-29-2017

Are you allowing the traffic inbound or outbound?

waaalex · ‎06-29-2017

Outbound.

The MODEM is inside, behind the forti unit.

No inbound policy, the MODEM initialize the connection.

Thanks.

waaalex · ‎06-29-2017

Thank you.

Here's my logs :

id=20085 trace_id=1 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:42967" id=20085 trace_id=2 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:42967->xx.vpn.xx.xx:1194) from port1. " id=20085 trace_id=2 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075b328, original direction" id=20085 trace_id=2 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:42967" id=20085 trace_id=3 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:42967->xx.vpn.xx.xx:1194) from port1. " id=20085 trace_id=3 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075b328, original direction" id=20085 trace_id=3 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:42967" id=20085 trace_id=4 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:42967->xx.vpn.xx.xx:1194) from port1. " id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075b328, original direction" id=20085 trace_id=4 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:42967" id=20085 trace_id=5 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:42967->xx.vpn.xx.xx:1194) from port1. " id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075b328, original direction" id=20085 trace_id=5 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:42967" id=20085 trace_id=6 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:42967->xx.vpn.xx.xx:1194) from port1. " id=20085 trace_id=6 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075b328, original direction" id=20085 trace_id=6 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:42967" id=20085 trace_id=7 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:42967->xx.vpn.xx.xx:1194) from port1. " id=20085 trace_id=7 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075b328, original direction" id=20085 trace_id=7 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:42967" id=20085 trace_id=8 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:42967->xx.vpn.xx.xx:1194) from port1. " id=20085 trace_id=8 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075b328, original direction" id=20085 trace_id=8 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:42967" id=20085 trace_id=9 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:42967->xx.vpn.xx.xx:1194) from port1. " id=20085 trace_id=9 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075b328, original direction" id=20085 trace_id=9 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:42967" id=20085 trace_id=10 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:42967->xx.vpn.xx.xx:1194) from port1. " id=20085 trace_id=10 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075b328, original direction" id=20085 trace_id=10 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:42967" id=20085 trace_id=11 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:42967->xx.vpn.xx.xx:1194) from port1. " id=20085 trace_id=11 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075b328, original direction" id=20085 trace_id=11 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:42967" id=20085 trace_id=12 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:42967->xx.vpn.xx.xx:1194) from port1. " id=20085 trace_id=12 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075b328, original direction" id=20085 trace_id=12 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:42967" id=20085 trace_id=13 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:42967->xx.vpn.xx.xx:1194) from port1. " id=20085 trace_id=13 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075b328, original direction" id=20085 trace_id=13 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:42967" id=20085 trace_id=14 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:42967->xx.vpn.xx.xx:1194) from port1. " id=20085 trace_id=14 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075b328, original direction" id=20085 trace_id=14 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:42967" id=20085 trace_id=15 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:42967->xx.vpn.xx.xx:1194) from port1. " id=20085 trace_id=15 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075b328, original direction" id=20085 trace_id=15 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:42967" FW-CARQ-01 # FW-CARQ-01 # FW-CARQ-01 # FW-CARQ-01 # id=20085 trace_id=16 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:32926->xx.xx.xx.xx:1194) from port1. " id=20085 trace_id=16 func=init_ip_session_common line=5475 msg="allocate a new session-0075c996" id=20085 trace_id=16 func=vf_ip_route_input_common line=2578 msg="find a route: flag=00000000 gw-xx.xx.xx.xx via wan1" id=20085 trace_id=16 func=fw_forward_handler line=710 msg="Allowed by Policy-77: SNAT" id=20085 trace_id=16 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:32926" id=20085 trace_id=17 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:32926->92.52.111.210:1194) from port1. " id=20085 trace_id=17 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075c996, original direction" id=20085 trace_id=17 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:32926" id=20085 trace_id=18 func=print_pkt_detail line=5319 msg="vd-root received a packet(proto=17, xx.xx.xx.xx:32926->92.52.111.210:1194) from port1. " id=20085 trace_id=18 func=resolve_ip_tuple_fast line=5394 msg="Find an existing session, id-0075c996, original direction" id=20085 trace_id=18 func=__ip_session_run_tuple line=3126 msg="SNAT xx.xx.xx.xx->xx.xx.xx.xx:32926"

have you got an idea of what happen?

thank you.