Differences
This shows you the differences between two versions of the page.
|
sred:lab9 [2022/01/21 18:34] horia.stoenescu [e1. Tunnel split [5p]] |
sred:lab9 [2023/01/13 17:04] (current) horia.stoenescu [e2. Remote authentication [5p]] |
||
|---|---|---|---|
| Line 12: | Line 12: | ||
| Topology: | Topology: | ||
| - | {{{:sred:lab10.png?800|}} | + | {{:sred:sred_lab10_2022.png?800|}} |
| - | **Note**: keep the configuration already made on the latest lab (with HA on both firewalls - the local one should be primary). | + | **Note**: you can keep the configuration already made on the latest lab (with IPSec tunnels on both firewalls). |
| ===== Exercises ===== | ===== Exercises ===== | ||
| Line 97: | Line 97: | ||
| - keep the rest as they are | - keep the rest as they are | ||
| - | e1.7: After firewall configuration, we need to check SSL-VPN configuration: on Remote device, go to Firefox and type address: http://fw_address:10443 (for fw_address use the private ip from port1). Authenticate and see the welcome page. | + | e1.7: After firewall configuration, we need to check SSL-VPN configuration: on Remote device, go to Firefox and type address: https://fw_address:10443 (for fw_address use the private ip from port1). Authenticate and see the welcome page. |
| Check if you can access the ip address of client1 (172.16.0.2), by going to 'Quick connection', select ping application and enter client1's ip address. You should receive the message: '172.16.0.2' is reachable. | Check if you can access the ip address of client1 (172.16.0.2), by going to 'Quick connection', select ping application and enter client1's ip address. You should receive the message: '172.16.0.2' is reachable. | ||
| Line 179: | Line 179: | ||
| </note> | </note> | ||
| + | === FortiClient extra === | ||
| + | |||
| + | If you encounter other issues on your remote user machine when connecting to Fortinet firewall to establish the tunnel, you may check the logs from the path: | ||
| + | <code> | ||
| + | eve@ubuntu:$ pwd | ||
| + | /var/log/forticlient | ||
| + | eve@ubuntu:$ ll | ||
| + | total 44 | ||
| + | drwxr-xr-x 4 root root 4096 Jan 21 23:57 ./ | ||
| + | drwxrwxr-x 16 root syslog 4096 Jan 22 00:06 ../ | ||
| + | -rw-r--r-- 1 root root 781 Jan 21 23:59 epctrl.log | ||
| + | -rw-r--r-- 1 root root 746 Jan 21 23:57 fctc.log | ||
| + | -rw-r--r-- 1 root root 1078 Jan 21 23:59 fctsched.log | ||
| + | drwxr-xr-x 2 root root 4096 May 31 2021 fmon_log/ | ||
| + | -rw-r--r-- 1 root root 137 Jan 21 23:57 libvcm.log | ||
| + | -rw-r--r-- 1 root root 3554 Jan 21 23:59 sslvpn.log | ||
| + | -rw-r--r-- 1 root root 4503 Jan 21 23:57 update.log | ||
| + | drwxr-xr-x 2 root root 4096 May 31 2021 vcm_log/ | ||
| + | # from this list, you can verify sslvpn.log file | ||
| + | </code> | ||
| + | |||
| + | Known issues that are identified based on logs: | ||
| + | |||
| + | 1. The agent's user interface does not properly work (the workaround is described above on step e1.9): | ||
| + | <code> | ||
| + | 20220122 20:00:56.765 [sslvpn:INFO] main:370 Load profile: SslVpnToHQ | ||
| + | 20220122 20:00:56.807 [sslvpn:INFO] main:118 Get DBUS session bus address | ||
| + | 20220122 20:00:57.844 [sslvpn:INFO] main:162 DBUS session bus address not found | ||
| + | </code> | ||
| + | |||
| + | 2. Wrong subnet used for vpn clients: | ||
| + | <code> | ||
| + | 20220122 00:13:56.765 [sslvpn:INFO] sslvpn:739 Login successful | ||
| + | 20220122 00:13:56.807 [sslvpn:INFO] main:1112 State: Configuring tunnel | ||
| + | 20220122 00:13:57.844 [sslvpn:INFO] main:1112 State: Connected | ||
| + | 20220122 00:13:57.857 [sslvpn:EROR] vpn_connection:837 IO write local failed. [-1 of 33] | ||
| + | 20220122 00:13:57.857 [sslvpn:EROR] vpn_connection:1379 Error: Disconnected because of error: IO write local failed. | ||
| + | 20220122 00:13:57.857 [sslvpn:INFO] vpn_connection:1493 /remote/logout | ||
| + | 20220122 00:13:57.875 [sslvpn:INFO] sslvpn:751 Logout successful | ||
| + | </code> | ||
| + | |||
| + | See the error 'IO write local failed' - this is due to a misconfiguration on the Fortigate machine (the initial source ip pool was 192.168.0.0/24 for tunnel clients, but this range is already used by the second branch, which means the ip cannot be assigned to another interface, in this case, ssl.root). | ||
| ==== e2. Remote authentication [5p] ==== | ==== e2. Remote authentication [5p] ==== | ||
| Besides local authentication, we can use LDAP/RADIUS/TACACS+ servers (remote ones). | Besides local authentication, we can use LDAP/RADIUS/TACACS+ servers (remote ones). | ||
| Line 184: | Line 226: | ||
| As in our topology clients from both branches do not have Internet access, we are going to use a new Linux node (same config as above, but mac address will be **50:00:00:byte_2_eveng_ip:byte3_eveng_ip+4:byte4_eveng_ip**) that is also connected to Cloud0 network. | As in our topology clients from both branches do not have Internet access, we are going to use a new Linux node (same config as above, but mac address will be **50:00:00:byte_2_eveng_ip:byte3_eveng_ip+4:byte4_eveng_ip**) that is also connected to Cloud0 network. | ||
| - | {{:sred:ex2_topology.png?800|}} | + | {{:sred:sred_lab10_2022_2.png?900|}} |
| e2.1: Go to radius_server device and install + configure freeradius: | e2.1: Go to radius_server device and install + configure freeradius: | ||
| Line 228: | Line 270: | ||
| e2.3: Add the new user to the already existing group **testgroup** | e2.3: Add the new user to the already existing group **testgroup** | ||
| - | e2.4: Go again to remote Linux device and try to authenticate to ssl-vpn portal using student:stud123. Check again ping to 192.168.0.2 | + | e2.4: Go again to remote Linux device and try to authenticate to ssl-vpn portal using student:stud123. Check again ping to 172.16.0.2 |
