Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kiwi
New Contributor

Fortigate-VM Evaluation copy. Can't test SSL VPN Client setup

Hello

 

I installed FortiGate-VM v 6.2 and 5.6.9 (Both Evaluation Copies) on VMware Workstation.

As instructed in multiple tutorial videos (Cookbook and Youtube), I configured SSL VPN on them to test client access.

 

Problem-1: When trying to test the SSL VPN functionality https://<external_IP>:10433 is fails with error like SSL_ERROR_NO_CYPHER_OVERLAP  (Firefox) or similar error message about SSL version mismatch when using other browsers.

 

- I know, evaluation copies have some limitation, like Low encryption only (no HTTPS administrative access)

- Some threads talk about using old Web browsers for TLS version to overcome the problem.

  I tried to enable TLS 1.0 ans SSL 2.0 in IExplorer ver 7 that come with Windows XP,  it did not help!

 

[style="background-color: #ffff99;"]Question:[/style] Any idea, whether it's possible or not at all to test SSL VPN Client with evaluation copies ?

 

Problem-2: After installing an Offline version of FortiClient VPN it keeps asking for Certificate.

                 I am not a customer and I do not have Certificates for that, just home Lab. How to bypass this issue for testing                  purposes ?

 

Thank you

10 REPLIES 10
Toshi_Esumi
Esteemed Contributor III

Did you check your Firefox TLS settings?

https://knowledge.digicert.com/generalinformation/INFO3299.html

The max/min values are explained below:

[link]http://kb.mozillazine.org/Security.tls.version.*[/link]

 

On the other hand, my 50E running 6.2.3 shows the default SSL encryption settings are:

xxx (settings) # get

<snip>

ssl-max-proto-ver      : tlsl-3

ssl-min-proto-ver       : tlsl-2

 

They need to overlap.

 

Kiwi

Thank you Toshi for your reply.

In the mean time I updated my initial posting about the TLS 1.0 details before I saw your reply, so have a look again to my posting and comment again.

Toshi_Esumi
Esteemed Contributor III

What's your settings at the FGT-VM side under "config vpn ssl settings" then just "get", which would show you all settings?

And you must have configured, or by default, to enable "Require Client Certificate" (in cli, "set reqclientcert enable"). Just disable it.

Kiwi

FortiGate-569 # conf vpn ssl sett FortiGate-569 (settings) # get reqclientcert    : disable  (by Default) tlsv1-0             : enable      (I enabled it) tlsv1-1             : enable tlsv1-2             : enable ssl-big-buffer      : disable ssl-insert-empty-fragment: enable https-redirect      : disable ssl-client-renegotiation: disable force-two-factor-auth: disable servercert          : Fortinet_Factory idle-timeout        : 300 auth-timeout        : 28800 login-attempt-limit : 2 login-block-time    : 60 login-timeout       : 30 dtls-hello-timeout  : 10 tunnel-ip-pools     : "SSLVPN_TUNNEL_ADDR1" tunnel-ipv6-pools   : "SSLVPN_TUNNEL_IPv6_ADDR1" dns-suffix          : dns-server1         : 192.168.99.2 dns-server2         : 8.8.8.8 wins-server1        : 0.0.0.0 wins-server2        : 0.0.0.0 ipv6-dns-server1    : :: ipv6-dns-server2    : :: ipv6-wins-server1   : :: ipv6-wins-server2   : :: route-source-interface: disable url-obscuration     : disable http-compression    : disable http-only-cookie    : enable port                : 10443 port-precedence     : enable auto-tunnel-static-route: enable header-x-forwarded-for: add source-interface    : "port1" source-address      : "all" source-address-negate: disable source-address6     : "all" source-address6-negate: disable default-portal      : full-access authentication-rule:     == [ 1 ]     id:     1 dtls-tunnel         : enable check-referer       : disable http-request-header-timeout: 20 http-request-body-timeout: 30

Toshi_Esumi
Esteemed Contributor III

Still doesn't work?

Toshi_Esumi
Esteemed Contributor III

Also you downloaded "FortiClient VPN 6.2" instead of "FortiClient 6.2", right? To test a tunnel mode.

Kiwi
New Contributor

* Yes,  FortiClient VPN 6.2  (Not the Full Client) and it's complaining about the Certificate.

Failed to establish the VPN connection. This may be caused by a mismatch in the TLS version. Please check the TLS version settings in the Advanced of the Internet options. (-5029)

 

Note: Just followed the Step-by-Step of this Cook bool v 5.6 https://www.youtube.com/watch?v=IFqsfz6Bto0

The only difference is that he uses a hardware licensed appliance and I am using the VM evaluation that does not deal with https as described in my initial posting.

 

Toshi_Esumi
Esteemed Contributor III

Then I don't know why. Generally any demo licensed VGT can be registered at the support portal and open a ticket at TAC. Ask the sales/SE who provided the FGT-VM demo license if it's possible.

Kiwi
New Contributor

Here below is a nice article but my Evaluation version does not accept the command [style="background-color: #888888;"]#set algorithm medium[style="background-color: #ffffff;"] as suggested[/style][/style]

 

http://www.layer8.one/fortigate-sslvpn-connecting-40-unable-to-establish-the-vpn-connection-the-vpn-...

 

Labels
Top Kudoed Authors