Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alex_cn
New Contributor

Remote access with FortiClient issue and site to site working.

Hello Guys,

I'm new on the forum. I read a lot of your post but I cannot solve my issue.

To explain as clear as possible my point, first my configuration is as shown on the picture below.

Network1.jpg [/ol]

 

As you can see, I got 2 sites, one in France and one in China.

My site to site VPN is working well. But when it come to create a remote access either by SSL VPN or by IPSec VPN with FortiClient, I failed on both sites.

Both of the FortiGate are FG50E and have similar configuration on 5.6 firmware. In France I got a fixe IP which might be easier to set up, While in China I got a dynamic IP and use a DDNS to create my site to site VPN.

I use a LDAP server to log in which I configure on both FortiGate. It’s seam to work. But being enable to create a remote VPN I also try to use a local user, which also fail.

I try several configurations of the remote IPSec VPN from cookbook, tutorial from youtube and older post on the forum. But still no chances.

With all articles I read, I guess I got more than one issue.

[ul]
  • Both of the FortiGate are behind an ISP box, which might bring some port forwarding issue and other.

    Concerning the French side, I have access to the configuration of the ISP box. but In China, I don't have any access. And as I prefer to have symmetric configuration to not get lost during maintenance, I prefer to avoid to change the ISP box configuration (bridge mode).

  • As I already have a site to site VPN on, it might come an issue in the IKE phase for IPSec VPN, which I try to solved by using the aggressive mode of the IKE version 1 with a specific peer ID. It works for the site to site VPN but for the remote VPN with FortiClient 6.0.8.0261 sill no way.
  • Concerning the SSL VPN I stuck completely, I guess it’s mainly due to the ISP box as my portal appear to be listening on the intermediate network 192.168.1.2

    [/ul]

    I would appreciate any tips that I might try to set up my remote VPN

  • 8 REPLIES 8
    Alex_cn
    New Contributor

    I didn't get any answer yet. But so far I'm reading the FortiOS handbook 3596 pages lol.

    And I'm looking especially on the Hub-and-spoke configuration.

    I'll let you update on my progress

    Alex_cn

    Hello guys, I just want to let you up to date.

     

    I spend the all day on my topic yesterday and now I'm able to connect to my French site by SSL VPN. Unfortunately, I'm still not able to do it by IPsec VPN and I didn't managed to connect to my Chinese site at all.

     

    I made several changes and tries. Below are the working settings of the SSL VPN.

     

    LDAP server:

    [ol]
  • Server IP: 200.200.200.10
  • Server port: 389
  • Common name identifier: samaccountname
  • Distinguished name: ou=xxx,dc=xxx
  • Bind type: Regular
  • User name: CN=xxx,CN=Users,DC=xxx,DC=local
  • Password: xxxx[/ol]

    Test the connectivity and it works well.

     

    Users:

    [ol]
  • User definition: Remote LDAP users imported from the LDAP server.
  • User group: type firewall with the necessary members[/ol]

    I defined it so because I read somewhere that FortiGate as difficulty with LDAP group which include sub group only and not directly the member.

     

    Addresses:

    [ol]
  • I defined a new IP range of addresses for the SSL VPN with the SSL interface on it.
  • I also defined a subnet for the SSL VPN with the SSL interface and static route configuration.[/ol]

     

    Port:

    [ol]
  • First put the admin https port to 10443 in system setting.[/ol]

     

    SSL Portal

    [ol]
  • I deleted all portal and created new ones:
  • For tunnel_access[ol]
  • Limit User to one SSL-VPN connection at a time: enable
  • Tunnel mode: enable
  • Enable split tunneling: disable
  • Source IP pools: The range crated before.
  • Allow client to save password: enable
  • Allow client to connect automatically: enable
  • Allow client to keep connection alive: enable
  • Enable web mode: disable
  • Enable FortiClient download: enable
  • Customize download location: disable[/ol][/ol]

     

    SSL settings:

    [ol]
  • Listen on interface:  Wan
  • Port: 443 (my web mode is listening at https://192.168.1.1 which is not my public IP)
  • Redirect HTTP to SSL-VPN: disable
  • Restrict access: Allow access from any host
  • Idle Logout: enable / inactive for 3600 Seconds (default was 300 but my connection was droping down and after this change everything works well)
  • Server certificate: Fortinet_Factory
  • Require Client Certificate:  disable
  • Address Range: Specify custom IP range: The range crated before.
  • DNS Server: specify: 200.200.200.10 and 100.100.100.10 (those are my 2 internal DNS server on each site. The sites are connected with a gateway to gateway tunnel. I specify DNS because the FortiGate DNS server is set to fortiguard server, as I use DDNS for the gateway to gateway VPN)
  • Specify WINS servers: disable
  • Allow endpoint Registration: disable
  • Authentication/ Portal mapping: SSL users – tunnel_access and all other user - web_access[/ol]

     

    IPV4 Policy:

    [ol]
  • SSL Client to internet[ol]
  • Incoming interface: SSL VPN tunnel
  • Outgoing interface: Wan
  • Source: address all / group: SSL users
  • Destination: all
  • Schedule: always
  • Services: All
  • Action: accept
  • Nat: enable
  • IP pool configuration: Use outgoing interface address
  • Security profiles: all disable (I plan to set up my security profile after everything is working well. It will be easier to troubleshot as the security profile can block some access)
  • Enable this policy: enable[/ol]
  • SSL Client to Lan[ol]
  • Incoming interface: SSL VPN tunnel
  • Outgoing interface: lan
  • Source: address all / group: SSL users
  • Destination: FR_local
  • Schedule: always
  • Services: All
  • Action: accept
  • Nat: enable
  • IP pool configuration: Use outgoing interface address
  • Security profiles: all disable (I plan to set up my security profile after everything is working well. It will be easier to troubleshot as the security profile can block some access)
  • Enable this policy: enable[/ol][/ol]

     

    Static routes:

    [ol]
  • Destination: named address: the subnet created before (with static route)
  • Gateway: 0.0.0.0
  • Interface: SSL VPN tunnel
  • Administrative distance: 10 (default value)
  • Status: enable
  • Priority: 1 (my gateway to gateway static route have priority 0)[/ol]

     

    Result with FortiClient 6.0.8.0261, I can connect to my French site. I’m actually in China so the result is pretty slow, but it works.

     

    Next step is to duplicate those setting to the Chinese site, the difference would be the DDNS setting in FortiClient. After couple of minutes to set everything the result is still not able to connect. So, I checked if other settings were different between both FortiGate. And I found few of it.

     

    I figured out in the address object that the French FortiGate has 2 additional address compare to the Chinese one.

    Name: Auth.gfx.ms – type: FQDN – details: auth.gfx.ms – ref: 1 to deep-inspection

    Name: softwareupdate.vmware.com- type: FQDN – Details: softwareupdate.vmware.com - ref: 1 to deep-inspection

     

    These 2 addresses are also listed in the Wildcard FQDN and refer to deep-inspection SSL. It took me a while to remember that when I was setting up my site to site VPN I called the support and we made those changes with the CLI console.

     

     Unfortunately, I’m not able to do it again to the other FortiGate. I’ll try to figure it out.

     

    But so far, I can say that I’m not able to connect to my Chinese site by SSL due to one of this 3 things:

     

    The Chinese site is behind the China telecom box and the box doesn’t allow the access.

    The Chinese site as dynamic IP and FortiClient doesn’t resolve the FQDN IP

    The deep inspection isn’t working on the Chinese site.

     

    Concerning the IPsec VPN none of them are working. I read somewhere that’s due to the great Chinese firewall and that only SSL will work. That’s the reason I focus on the SSL access. But I assume that’s not really true, due to the fact that I have one site to site IPsec VPN working well.

     

    See you later for further update.

  • Alex_cn

    Some more update Today,

    So today I play around with the FQDN difference between my Chinese FTG and my French one.

    So, as the 2 FQDN was linked to the deep inspection profile which I cannot change in the 5.6 firmware, I decided to downgrade to 5.4.13 both FortiGate.

    After play around a bit, I figured out that if the address auth.gfx.ms is in a wildcard address then I cannot bring up my site to site VPN. But if the address is in a normal FQDN then it’s working. So, I set on both FortiGate the auth.gfx.ms and the softwareupdate.vmware.com addresses as FQDN and then link again to the deep inspection profile.

    With those change my site to site VPN is working and I can connect to the French site with SSL VPN. But still nothing possible on the Chinese site.

    Then, as I was playing with firmware, I decided to update both FortiGate to the last release 6.2.3. and play around a bit more but still nothing possible. Several changes in the GUI on 6.2.3 and the address auth.gfx.ms simply disappear of the address list.

    I have no idea what is that but I won’t care much any longer. Now I’ll focus on checking the ISP box (which are router) settings. In France I have no problem to change thing as I get the access but in China no access to the box management. I’ll contact the ISP tomorrow.

    Alex_cn

    Monday Update,

    This morning I checked my ISP box configuration and guess what?  I found something! The guy who installed the FortiGate in France set up the FortiGate on a DMZ (DMZ compare to the ISP box) and set up some port forwarding on the ISP box. I wasn’t aware of it. So, that was the reason I was able to connect in France by SSL.

    So today I called China telecom and asked them to allow me to do some port forwarding in their box. They refuse to give me the access to set it up. But they did accept to set up the box in bridge mode. They did it remotely in 5 min and send me the PPPoE account and password. Before their box was connecting in DHCP but it seems that they only allow the bridge mode with PPPoE account. However weird is that, after set up the PPPoE account on the WAN interface, I could access my Chinese site with SSL VPN.

    In order to simplify my life during maintenance I try to set up the French ISP box in bridge mode as well and have a symmetric configuration. But unfortunately, the ISP box (BBox of Bouygues Telecom) doesn’t support bridge mode.

    To resume, now I have my site-to-site VPN working and I can access both site with SSL VPN. Which is what I needed. So, my problem is solved in somehow even I’m still unable to bring up the IPsec VPN on both sites and the ISP box on each site have different settings.

    By curiosity I’ll try to find out why I’m not able to access my sites by IPsec VPN. I read many post on the web, that is due to the Chinese great firewall. But I don’t believe it mush as my site-to-site VPN is IPsec and working.

    Alex_cn

    Hello forum,

     

    Some update concerning last week.

    As I told you I’m now able to connect my client with with Forticlient by SSL VPN. Unfortunately, the SSL VPN was going down every 5 min. After I read this post, https://forum.fortinet.com/tm.aspx?m=153209, I try to apply this fix:

     

    config system interface   edit <name>     set preserve-session-route enable   next end

     

    but I got the message

    Attribute 'vdom' MUST be set.
    Command fail. Return code 1

     

    I didn’t set any Vdom on my fortigate so that was wierd.

     

    By curiosity I try to set the Vdom attribute

     

    Config Vdom   edit <vdom name>

     

    Without success. ☹ So, I decided to set up Vdom in order to be able to apply the fix. My skills weren’t good enough and I didn’t have enough patience to read the Vdom cookbook. So, I messed up completely my FortiGate and nothing was working any more. Then I decided to make a factory reset. And apply all my configuration again.

    And by this, now, I’m able to connect by SSL VPN and IPsec VPN to my chinese site.

    I don’t know what happen in between, what the factory reset clean up but now I have my site to site VPN, my SSL VPN and my IPsec Dialup VPN working with my chinese site.

    One thing I still don't get is that my VPN setting are the same in China and in France but I still cannot access my french site with IPsec dialup connection. So, I think I'll do the same factory reset to my french fortigate and reapply my configuration to see if it solve my IPsec issue.

    AdiMizil
    New Contributor III

    Hi Alex,

     

    Very interesting the post  you are writing. Don't forget to check also CookBooks receips (https://cookbook.fortinet.com/vpns/  and choose your FortiOS version ) and blogs - e.g. FortinetGuru 

     

    About IPSEC , this is using multiple ports and protocols which all should be allowed ( re port forward from ISP in France).

     

    Protocol: UDP, port 500 (for IKE, to manage encryption keys)Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode)Protocol: ESP, value 50 (for IPSEC)Protocol: AH, value 51 (for IPSEC)[/ul]

    Kind regards,

    Adi

    Alex_cn
    New Contributor

    I didn't get any answer yet. But so far I'm reading the FortiOS handbook 3596 pages lol.

    And I'm looking especially on the Hub-and-spoke configuration.

    I'll let you update on my progress

    Alex_cn
    New Contributor

    I didn't get any answer yet. But so far I'm reading the FortiOS handbook 3596 pages lol.

    And I'm looking especially on the Hub-and-spoke configuration.

    I'll let you update on my progress

    Labels
    Top Kudoed Authors