WEBUI over ipsec

Author
Yngve0
Gold Member
  • Total Posts : 232
  • Scores: 0
  • Reward points: 0
  • Joined: 2004/12/29 03:06:35
  • Status: offline
2019/01/06 10:38:09 (permalink)
0

WEBUI over ipsec

I have a strange issue.
 
- Two locations (on different continent) connected via ipsec-vpn. 
- Both sites have FGT60D os 6.0.3
- The tunnelinterface have assigned IP-address (Local/Remote) with subnet 255.255.255.255-mask
- The remote site have some policybased routing since some internet-traffic must be routed via internet-connection on HQ.
Everything works fine; both site2site-traffic, and traffic from remote site via HQ to internet. The performence is as expected.
 
But the FGT-webUI will not load from remote site via the ipsec; the certifcate warning occour as normal but after that nothing is happening. I have tried different browser (Chrome, Edge etc) with same result. I have done some "diag sniffer packet"-sniffing and the packet seems to be routed correctly. When I do rdp-to a comuter on remote site I am able to connect the webUI on the same IP as I failed connect to from the other end. This is the same in both direction; both from remote site to [link=mailto:FGT@HQ]FGT@HQ[/link] and from HQ to [link=mailto:FGT@remote]FGT@remote[/link].
 
SSH to the Fortigate is working normal over ipsec.
 
Where could I start digging?
 
Y
post edited by Yngve0 - 2019/01/06 12:40:41
#1

3 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1293
    • Scores: 93
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: WEBUI over ipsec 2019/01/07 08:29:21 (permalink)
    0
    Sounds like no routing issues. And assuming there is no "trusthost" issue either allowing all or both subnets.
    Then it must be https level. I would enable http temporarily to see any difference. Then start running wireshark to compare packets between local access (success) and remote access over IPsec (failure) to see where/when it breaks down. If client side is waiting for something that it can't get from the FGT, you might need to run packet capture on the FGT side either via GUI or CLI then convert to pcap.
    #2
    Yngve0
    Gold Member
    • Total Posts : 232
    • Scores: 0
    • Reward points: 0
    • Joined: 2004/12/29 03:06:35
    • Status: offline
    Re: WEBUI over ipsec 2019/01/07 09:40:21 (permalink)
    0
    Thanks; 
    http gives no issues, so my guess is also that it is on https-level. I will follow you suggestion but concider to start with re-issuing the ssl-certifcates.
     
    Best regards
     
    Yngve
    #3
    emnoc
    Expert Member
    • Total Posts : 5097
    • Scores: 315
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: WEBUI over ipsec 2019/01/07 12:09:31 (permalink)
    0
    What versions of TLSv1.x are your allowing? Can you test with curl against the   remote-site?
     
    curl.exe -v -k https://x.x.x.x
     
    Do you get the  certificate and successful   TLS handshake?
     
    Ken Felix
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #4
    Jump to:
    © 2019 APG vNext Commercial Version 5.5