Hot!Fortigate-VM Evaluation copy. Can't test SSL VPN Client setup

Author
Kiwi
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/29 16:49:56
  • Status: offline
2020/02/03 09:02:13 (permalink)
0

Fortigate-VM Evaluation copy. Can't test SSL VPN Client setup

Hello
 
I installed FortiGate-VM v 6.2 and 5.6.9 (Both Evaluation Copies) on VMware Workstation.
As instructed in multiple tutorial videos (Cookbook and Youtube), I configured SSL VPN on them to test client access.
 
Problem-1: When trying to test the SSL VPN functionality https://<external_IP>:10433 is fails with error like SSL_ERROR_NO_CYPHER_OVERLAP  (Firefox) or similar error message about SSL version mismatch when using other browsers.
 
- I know, evaluation copies have some limitation, like Low encryption only (no HTTPS administrative access)
- Some threads talk about using old Web browsers for TLS version to overcome the problem.
  I tried to enable TLS 1.0 ans SSL 2.0 in IExplorer ver 7 that come with Windows XP,  it did not help!
 
Question: Any idea, whether it's possible or not at all to test SSL VPN Client with evaluation copies ?
 
Problem-2: After installing an Offline version of FortiClient VPN it keeps asking for Certificate.
                 I am not a customer and I do not have Certificates for that, just home Lab. How to bypass this issue for testing
                 purposes ?
 
Thank you
post edited by Kiwi - 2020/02/06 13:02:32
#1

10 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1928
    • Scores: 168
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Fortigate-VM Evalaution copy. Can't test SSL VPN Client setup 2020/02/03 09:26:12 (permalink)
    0
    Did you check your Firefox TLS settings?
    https://knowledge.digicert.com/generalinformation/INFO3299.html
    The max/min values are explained below:
    http://kb.mozillazine.org/Security.tls.version.*
     
    On the other hand, my 50E running 6.2.3 shows the default SSL encryption settings are:
    xxx (settings) # get
    <snip>
    ssl-max-proto-ver      : tlsl-3
    ssl-min-proto-ver       : tlsl-2
     
    They need to overlap.
     
    #2
    Kiwi
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/29 16:49:56
    • Status: offline
    Re: Fortigate-VM Evalaution copy. Can't test SSL VPN Client setup 2020/02/03 11:12:59 (permalink)
    0
    Thank you Toshi for your reply.
    In the mean time I updated my initial posting about the TLS 1.0 details before I saw your reply, so have a look again to my posting and comment again.
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 1928
    • Scores: 168
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Fortigate-VM Evalaution copy. Can't test SSL VPN Client setup 2020/02/03 11:33:14 (permalink)
    0
    What's your settings at the FGT-VM side under "config vpn ssl settings" then just "get", which would show you all settings?
    And you must have configured, or by default, to enable "Require Client Certificate" (in cli, "set reqclientcert enable"). Just disable it.
    #4
    Kiwi
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/29 16:49:56
    • Status: offline
    Re: Fortigate-VM Evalaution copy. Can't test SSL VPN Client setup 2020/02/03 12:27:18 (permalink)
    0
    FortiGate-569 # conf vpn ssl sett
    FortiGate-569 (settings) # get
    reqclientcert    : disable  (by Default)
    tlsv1-0             : enable      (I enabled it)
    tlsv1-1             : enable
    tlsv1-2             : enable
    ssl-big-buffer      : disable
    ssl-insert-empty-fragment: enable
    https-redirect      : disable
    ssl-client-renegotiation: disable
    force-two-factor-auth: disable
    servercert          : Fortinet_Factory
    idle-timeout        : 300
    auth-timeout        : 28800
    login-attempt-limit : 2
    login-block-time    : 60
    login-timeout       : 30
    dtls-hello-timeout  : 10
    tunnel-ip-pools     : "SSLVPN_TUNNEL_ADDR1"
    tunnel-ipv6-pools   : "SSLVPN_TUNNEL_IPv6_ADDR1"
    dns-suffix          :
    dns-server1         : 192.168.99.2
    dns-server2         : 8.8.8.8
    wins-server1        : 0.0.0.0
    wins-server2        : 0.0.0.0
    ipv6-dns-server1    : ::
    ipv6-dns-server2    : ::
    ipv6-wins-server1   : ::
    ipv6-wins-server2   : ::
    route-source-interface: disable
    url-obscuration     : disable
    http-compression    : disable
    http-only-cookie    : enable
    port                : 10443
    port-precedence     : enable
    auto-tunnel-static-route: enable
    header-x-forwarded-for: add
    source-interface    : "port1"
    source-address      : "all"
    source-address-negate: disable
    source-address6     : "all"
    source-address6-negate: disable
    default-portal      : full-access
    authentication-rule:
        == [ 1 ]
        id:     1
    dtls-tunnel         : enable
    check-referer       : disable
    http-request-header-timeout: 20
    http-request-body-timeout: 30


    post edited by Kiwi - 2020/02/03 12:37:40
    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 1928
    • Scores: 168
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Fortigate-VM Evalaution copy. Can't test SSL VPN Client setup 2020/02/03 12:33:31 (permalink)
    0
    Still doesn't work?
    #6
    Toshi Esumi
    Expert Member
    • Total Posts : 1928
    • Scores: 168
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Fortigate-VM Evalaution copy. Can't test SSL VPN Client setup 2020/02/03 12:35:32 (permalink)
    0
    Also you downloaded "FortiClient VPN 6.2" instead of "FortiClient 6.2", right? To test a tunnel mode.
    #7
    Kiwi
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/29 16:49:56
    • Status: offline
    Re: Fortigate-VM Evalaution copy. Can't test SSL VPN Client setup 2020/02/03 12:40:30 (permalink)
    0
    * Yes,  FortiClient VPN 6.2  (Not the Full Client) and it's complaining about the Certificate.
    Failed to establish the VPN connection. This may be caused by a mismatch in the TLS version. Please check the TLS version settings in the Advanced of the Internet options. (-5029)
     
    Note: Just followed the Step-by-Step of this Cook bool v 5.6 https://www.youtube.com/watch?v=IFqsfz6Bto0
    The only difference is that he uses a hardware licensed appliance and I am using the VM evaluation that does not deal with https as described in my initial posting.
     
    post edited by Kiwi - 2020/02/03 12:55:19
    #8
    Toshi Esumi
    Expert Member
    • Total Posts : 1928
    • Scores: 168
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Fortigate-VM Evalaution copy. Can't test SSL VPN Client setup 2020/02/03 12:57:46 (permalink)
    0
    Then I don't know why. Generally any demo licensed VGT can be registered at the support portal and open a ticket at TAC. Ask the sales/SE who provided the FGT-VM demo license if it's possible.
    #9
    Kiwi
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/29 16:49:56
    • Status: offline
    Re: Fortigate-VM Evalaution copy. Can't test SSL VPN Client setup 2020/02/03 13:15:05 (permalink)
    0
    Here below is a nice article but my Evaluation version does not accept the command #set algorithm medium as suggested
     
    http://www.layer8.one/fortigate-sslvpn-connecting-40-unable-to-establish-the-vpn-connection-the-vpn-server-may-be-unreachable-5/
     
    #10
    Kiwi
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/29 16:49:56
    • Status: offline
    Re: Fortigate-VM Evalaution copy. Can't test SSL VPN Client setup 2020/02/03 13:19:13 (permalink)
    0
    Hi Toshi,
    About Evaluation copy:
     
    1. Cisco firewall can be Full fledged evaluated for 60 days without being a customer, same with HP
    2. See Fortigate Evaluation copy limitation under this link:
    https://docs.fortinet.com/vm/vmware-nsx-t/fortigate/6.0/about-fortigate-for-vmware-nsx-t/6.0.4/992179/fortigate-vm-virtual-appliance-evaluation-license
    You can't do much with Fortinet evaluation unfortunately, Only One VDOM root in addition to https and VPN limitation apparently.
    No support for Evaluation, that's normal.

     
    post edited by Kiwi - 2020/02/03 13:20:30
    #11
    Jump to:
    © 2020 APG vNext Commercial Version 5.5