Differences
This shows you the differences between two versions of the page.
|
sred:lab9 [2022/01/21 15:18] horia.stoenescu [e1. Tunnel split [5p]] |
sred:lab9 [2023/01/13 17:04] (current) horia.stoenescu [e2. Remote authentication [5p]] |
||
|---|---|---|---|
| Line 12: | Line 12: | ||
| Topology: | Topology: | ||
| - | {{{:sred:lab10.png?800|}} | + | {{:sred:sred_lab10_2022.png?800|}} |
| - | **Note**: keep the configuration already made on the latest lab (with HA on both firewalls - the local one should be primary). | + | **Note**: you can keep the configuration already made on the latest lab (with IPSec tunnels on both firewalls). |
| ===== Exercises ===== | ===== Exercises ===== | ||
| Line 74: | Line 74: | ||
| - keep for portal certificate the self-signed one | - keep for portal certificate the self-signed one | ||
| + | |||
| + | - keep the logout time to 300 seconds (after 5 minutes of inactivity, disconnect the user automatically) | ||
| - Tunnel Mode Client Settings > Specify custom IP Ranges > select address **source_ip_pools** (this way the source ip from range 192.168.100.0/24 will be let to access internal networks. If we keep the default ip pools here, clients will receive an ip from pool configured on Portal above) | - Tunnel Mode Client Settings > Specify custom IP Ranges > select address **source_ip_pools** (this way the source ip from range 192.168.100.0/24 will be let to access internal networks. If we keep the default ip pools here, clients will receive an ip from pool configured on Portal above) | ||
| Line 95: | Line 97: | ||
| - keep the rest as they are | - keep the rest as they are | ||
| - | e1.7: After firewall configuration, we need to check SSL-VPN configuration: on Remote device, go to Firefox and type address: http://fw_address:10443 (for fw_address use the private ip from port1). Authenticate and see the welcome page. | + | e1.7: After firewall configuration, we need to check SSL-VPN configuration: on Remote device, go to Firefox and type address: https://fw_address:10443 (for fw_address use the private ip from port1). Authenticate and see the welcome page. |
| + | |||
| + | Check if you can access the ip address of client1 (172.16.0.2), by going to 'Quick connection', select ping application and enter client1's ip address. You should receive the message: '172.16.0.2' is reachable. | ||
| + | |||
| + | **FortiClient** is the agent that needs to run on client's side in order to create the VPN tunnel (same as Cisco AnyConnect and Palo Alto's GlobalProtect). | ||
| + | |||
| + | <note tip> | ||
| + | The system administrator can define other types of tests that can be pushed to portal's page. When clients are connecting to this page, they might firstly try to run them to see if the required resources are available, and after that they can download the installer for agent. | ||
| + | |||
| + | This can be done by going to VPN > SSL-VPN Portals > select the portal from above > Predefined Bookmarks > New Bookmark, and add a name, select the protocol (can be ssh), add the host and ip address of client and save. After a refresh on the portal's page, you may see the Bookmarks on top. Click on icon, then a new tab should appear, with a console to connect to machine: | ||
| + | |||
| + | {{:sred:lab10_2.png?800|}} | ||
| + | |||
| + | </note> | ||
| e1.8: As FortiClient download link is not included in portal webpage, we need to install it directly from cli: | e1.8: As FortiClient download link is not included in portal webpage, we need to install it directly from cli: | ||
| Line 102: | Line 117: | ||
| # install gpg key | # install gpg key | ||
| wget -O - https://repo.fortinet.com/repo/6.4/ubuntu/DEB-GPG-KEY | sudo apt-key add - | wget -O - https://repo.fortinet.com/repo/6.4/ubuntu/DEB-GPG-KEY | sudo apt-key add - | ||
| - | # add to /etc/apt/sources.list | + | # add to /etc/apt/sources.list the deb path |
| - | deb [arch=amd64] https://repo.fortinet.com/repo/6.4/ubuntu/ /bionic multiverse | + | sudo sh -c 'echo "deb [arch=amd64] https://repo.fortinet.com/repo/6.4/ubuntu/ /bionic multiverse" >> /etc/apt/sources.list' |
| + | # update and install the package | ||
| sudo apt-get update | sudo apt-get update | ||
| sudo apt-get install forticlient | sudo apt-get install forticlient | ||
| Line 119: | Line 135: | ||
| Save and login user credentials from e1.2 (accept portal certificate). | Save and login user credentials from e1.2 (accept portal certificate). | ||
| + | |||
| + | <note important> | ||
| + | In case you cannot login to ssl-vpn portal (no certificate warning appears), you need to do the following (workaround for this Linux bug): close the window from 'X' (DO not kill the application), then start it again from Application's Icon (seen above on taskbar) > FortiClient and try to login again to portal. | ||
| + | </note> | ||
| e1.10: Check the newly configured interface for vpn: | e1.10: Check the newly configured interface for vpn: | ||
| Line 133: | Line 153: | ||
| eve@ubuntu:~$ ip r s | eve@ubuntu:~$ ip r s | ||
| [...] | [...] | ||
| - | 192.168.0.0/24 via 192.168.100.1 dev vpn scope link | + | 172.16.0.0/24 via 192.168.100.1 dev vpn scope link |
| 192.168.100.1 dev vpn proto kernel scope link src 192.168.100.1 metric 450 | 192.168.100.1 dev vpn proto kernel scope link src 192.168.100.1 metric 450 | ||
| # see that branch1 route is injected | # see that branch1 route is injected | ||
| Line 140: | Line 160: | ||
| For test, ping client1 from branch1: | For test, ping client1 from branch1: | ||
| <code> | <code> | ||
| - | eve@ubuntu:~$ ping -c 5 192.168.0.2 | + | eve@ubuntu:~$ ping -c 5 172.16.0.2 |
| - | PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data. | + | PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data. |
| - | 64 bytes from 192.168.0.2: icmp_seq=1 ttl=63 time=1.69 ms | + | 64 bytes from 172.16.0.2: icmp_seq=1 ttl=63 time=1.69 ms |
| - | 64 bytes from 192.168.0.2: icmp_seq=2 ttl=63 time=2.57 ms | + | 64 bytes from 172.16.0.2: icmp_seq=2 ttl=63 time=2.57 ms |
| - | 64 bytes from 192.168.0.2: icmp_seq=3 ttl=63 time=2.79 ms | + | 64 bytes from 172.16.0.2: icmp_seq=3 ttl=63 time=2.79 ms |
| - | 64 bytes from 192.168.0.2: icmp_seq=4 ttl=63 time=5.44 ms | + | 64 bytes from 172.16.0.2: icmp_seq=4 ttl=63 time=5.44 ms |
| - | 64 bytes from 192.168.0.2: icmp_seq=5 ttl=63 time=4.00 ms | + | 64 bytes from 172.16.0.2: icmp_seq=5 ttl=63 time=4.00 ms |
| - | --- 192.168.0.2 ping statistics --- | + | --- 172.16.0.2 ping statistics --- |
| 5 packets transmitted, 5 received, 0% packet loss, time 4011ms | 5 packets transmitted, 5 received, 0% packet loss, time 4011ms | ||
| rtt min/avg/max/mdev = 1.690/3.300/5.441/1.301 ms | rtt min/avg/max/mdev = 1.690/3.300/5.441/1.301 ms | ||
| </code> | </code> | ||
| - | <note> | + | <note tip> |
| We can also configure for an user definition, MFA, using FortiTokens (email or SMS are used for enabling the FortiToken application) - see them on User & Authentication > FortiTokens. But, this requires special licenses which are not currently available for us. | We can also configure for an user definition, MFA, using FortiTokens (email or SMS are used for enabling the FortiToken application) - see them on User & Authentication > FortiTokens. But, this requires special licenses which are not currently available for us. | ||
| Line 159: | Line 179: | ||
| </note> | </note> | ||
| + | === FortiClient extra === | ||
| + | |||
| + | If you encounter other issues on your remote user machine when connecting to Fortinet firewall to establish the tunnel, you may check the logs from the path: | ||
| + | <code> | ||
| + | eve@ubuntu:$ pwd | ||
| + | /var/log/forticlient | ||
| + | eve@ubuntu:$ ll | ||
| + | total 44 | ||
| + | drwxr-xr-x 4 root root 4096 Jan 21 23:57 ./ | ||
| + | drwxrwxr-x 16 root syslog 4096 Jan 22 00:06 ../ | ||
| + | -rw-r--r-- 1 root root 781 Jan 21 23:59 epctrl.log | ||
| + | -rw-r--r-- 1 root root 746 Jan 21 23:57 fctc.log | ||
| + | -rw-r--r-- 1 root root 1078 Jan 21 23:59 fctsched.log | ||
| + | drwxr-xr-x 2 root root 4096 May 31 2021 fmon_log/ | ||
| + | -rw-r--r-- 1 root root 137 Jan 21 23:57 libvcm.log | ||
| + | -rw-r--r-- 1 root root 3554 Jan 21 23:59 sslvpn.log | ||
| + | -rw-r--r-- 1 root root 4503 Jan 21 23:57 update.log | ||
| + | drwxr-xr-x 2 root root 4096 May 31 2021 vcm_log/ | ||
| + | # from this list, you can verify sslvpn.log file | ||
| + | </code> | ||
| + | |||
| + | Known issues that are identified based on logs: | ||
| + | |||
| + | 1. The agent's user interface does not properly work (the workaround is described above on step e1.9): | ||
| + | <code> | ||
| + | 20220122 20:00:56.765 [sslvpn:INFO] main:370 Load profile: SslVpnToHQ | ||
| + | 20220122 20:00:56.807 [sslvpn:INFO] main:118 Get DBUS session bus address | ||
| + | 20220122 20:00:57.844 [sslvpn:INFO] main:162 DBUS session bus address not found | ||
| + | </code> | ||
| + | |||
| + | 2. Wrong subnet used for vpn clients: | ||
| + | <code> | ||
| + | 20220122 00:13:56.765 [sslvpn:INFO] sslvpn:739 Login successful | ||
| + | 20220122 00:13:56.807 [sslvpn:INFO] main:1112 State: Configuring tunnel | ||
| + | 20220122 00:13:57.844 [sslvpn:INFO] main:1112 State: Connected | ||
| + | 20220122 00:13:57.857 [sslvpn:EROR] vpn_connection:837 IO write local failed. [-1 of 33] | ||
| + | 20220122 00:13:57.857 [sslvpn:EROR] vpn_connection:1379 Error: Disconnected because of error: IO write local failed. | ||
| + | 20220122 00:13:57.857 [sslvpn:INFO] vpn_connection:1493 /remote/logout | ||
| + | 20220122 00:13:57.875 [sslvpn:INFO] sslvpn:751 Logout successful | ||
| + | </code> | ||
| + | |||
| + | See the error 'IO write local failed' - this is due to a misconfiguration on the Fortigate machine (the initial source ip pool was 192.168.0.0/24 for tunnel clients, but this range is already used by the second branch, which means the ip cannot be assigned to another interface, in this case, ssl.root). | ||
| ==== e2. Remote authentication [5p] ==== | ==== e2. Remote authentication [5p] ==== | ||
| Besides local authentication, we can use LDAP/RADIUS/TACACS+ servers (remote ones). | Besides local authentication, we can use LDAP/RADIUS/TACACS+ servers (remote ones). | ||
| Line 164: | Line 226: | ||
| As in our topology clients from both branches do not have Internet access, we are going to use a new Linux node (same config as above, but mac address will be **50:00:00:byte_2_eveng_ip:byte3_eveng_ip+4:byte4_eveng_ip**) that is also connected to Cloud0 network. | As in our topology clients from both branches do not have Internet access, we are going to use a new Linux node (same config as above, but mac address will be **50:00:00:byte_2_eveng_ip:byte3_eveng_ip+4:byte4_eveng_ip**) that is also connected to Cloud0 network. | ||
| - | {{:sred:ex2_topology.png?800|}} | + | {{:sred:sred_lab10_2022_2.png?900|}} |
| e2.1: Go to radius_server device and install + configure freeradius: | e2.1: Go to radius_server device and install + configure freeradius: | ||
| Line 208: | Line 270: | ||
| e2.3: Add the new user to the already existing group **testgroup** | e2.3: Add the new user to the already existing group **testgroup** | ||
| - | e2.4: Go again to remote Linux device and try to authenticate to ssl-vpn portal using student:stud123. Check again ping to 192.168.0.2 | + | e2.4: Go again to remote Linux device and try to authenticate to ssl-vpn portal using student:stud123. Check again ping to 172.16.0.2 |
