No HTTP or HTTPS when connect to a remote VPN

nfonz23 · ‎03-15-2020

Hi guys,

New to the forum and just started playing with a new Fortigate 60E which I'm looking to replace our office router with. I have set up the Fortigate and everything is working perfectly besides 1 issue and a question. I have set up the IPv4 Policies to allow DNS, HTTP and HTTPS which are working great, the problem starts when I connect to another remote VPN service through the Fortigate. The VPN connects and I can access services on the remote VPN's network but HTTP and HTTPS stop on my local computer (i can still ping remote address, google etc). I disconnect the VPN and all is good again. I'm assuming this is a firewall rule I need to tweak? (picture of my IPV4 Policies are attached). I even enabled the Allow all rule I created (for testing) and it still doesn't fix it My question also, if I only have 3 rules in IPv4 Policies for DNS, HTTP and HTTP, shouldn't have the VPN I was trying to connect to failed to connect? I would have thought that it would be blocked by default if I haven't made a rule to allow it?

Thank!

ede_pfau · ‎03-15-2020

I wonder which kind of VPN you are talking about. Certainly, there is no policy connecting your LAN to it. Which kind of is magic.

Please supply more info on the way your VPN is set up, in general and on the FGT (IPsec, SSLVPN, Windows??).

Ede

"Kernel panic: Aiee, killing interrupt handler!"

lobstercreed · ‎03-15-2020

Hi Nathan,

It seems pretty clear to me that the remote VPN service you're connecting to is SSL-VPN, which runs over HTTPS. This is precisely one of the reasons SSL-VPN became so popular: it works even on networks that only allow basic web traffic.

As to why you lose the ability to do anything else locally when you connect to this VPN, either:

[ul]

The routes on their side are overlapping with your LAN network, or

They're not split-tunneling and requiring ALL traffic to go through their network. You can check this by doing a traceroute to Google and seeing if it goes directly out your local LAN/WAN or if it goes across their VPN first.[/ul]

Hope this helps! - Daniel

nfonz23 · ‎03-16-2020

Thanks for your replies I don't think it overlaps with their LAN as the VPN works fine when I take the FortiGate out of our network and put the old router back in place. Same with the split-tunneling, if I put the old router back in place (untangled virtual appliance) everything works fine. Is there a way to capture the traffic going through the fortigate from my local LAN address? So I can capture at which point it's being blocked/stopping? Also you were right the VPN is SSTP (SSL), Thanks!

lobstercreed · ‎03-22-2020

Did you ever figure this out? I can't think of anything else right now that would match those symptoms. I assume other users can still access the internet fine when you're connected to this remote SSL-VPN on your computer?

As far as capturing, there is a Packet Capture feature in the GUI that might help. I don't think the FortiGate is getting the packets though if it only happens when you turn on the remote VPN. Is it a DNS issue? You did mention you can still ping certain remote addresses...by name or IP only?

nfonz23 · ‎03-15-2020

Thanks for your replies I don't think it overlaps with their LAN as the VPN works fine when I take the FortiGate out of our network and put the old router back in place. Same with the split-tunneling, if I put the old router back in place (untangled virtual appliance) everything works fine. Is there a way to capture the traffic going through the fortigate from my local LAN address? So I can capture at which point it's being blocked/stopping?