Show page

Differences

This shows you the differences between two versions of the page.

--- sred:lab9 [2022/01/21 20:13]
horia.stoenescu [e1. Tunnel split [5p]]
+++ sred:lab9 [2023/01/13 17:04] (current)
horia.stoenescu [e2. Remote authentication [5p]]
@@ Line 12: / Line 12: @@
 Topology:
-{{{:sred:lab10.png?800|}}
+{{:sred:sred_lab10_2022.png?800|}}
-**Note**: keep the configuration already made on the latest lab (with HA on both firewalls - the local one should be primary).
+**Note**: you can keep the configuration already made on the latest lab (with IPSec tunnels on both firewalls).
 ===== Exercises =====
@@ Line 179: / Line 179: @@
 </note>
+=== FortiClient extra ===
+If you encounter other issues on your remote user machine when connecting to Fortinet firewall to establish the tunnel, you may check the logs from the path:
+<code>
+eve@ubuntu:$ pwd
+/var/log/forticlient
+eve@ubuntu:$ ll
+total 44
+drwxr-xr-x  4 root root   4096 Jan 21 23:57 ./
+drwxrwxr-x 16 root syslog 4096 Jan 22 00:06 ../
+-rw-r--r--  1 root root    781 Jan 21 23:59 epctrl.log
+-rw-r--r--  1 root root    746 Jan 21 23:57 fctc.log
+-rw-r--r--  1 root root   1078 Jan 21 23:59 fctsched.log
+drwxr-xr-x  2 root root   4096 May 31  2021 fmon_log/
+-rw-r--r--  1 root root    137 Jan 21 23:57 libvcm.log
+-rw-r--r--  1 root root   3554 Jan 21 23:59 sslvpn.log
+-rw-r--r--  1 root root   4503 Jan 21 23:57 update.log
+drwxr-xr-x  2 root root   4096 May 31  2021 vcm_log/
+# from this list, you can verify sslvpn.log file
+</code>
+Known issues that are identified based on logs:
+. The agent's user interface does not properly work (the workaround is described above on step e1.9):
+<code>
+20220122 20:00:56.765 [sslvpn:INFO] main:370 Load profile: SslVpnToHQ
+20220122 20:00:56.807 [sslvpn:INFO] main:118 Get DBUS session bus address
+20220122 20:00:57.844 [sslvpn:INFO] main:162 DBUS session bus address not found
+</code>
+. Wrong subnet used for vpn clients:
+<code>
+20220122 00:13:56.765 [sslvpn:INFO] sslvpn:739 Login successful
+20220122 00:13:56.807 [sslvpn:INFO] main:1112 State: Configuring tunnel
+20220122 00:13:57.844 [sslvpn:INFO] main:1112 State: Connected
+20220122 00:13:57.857 [sslvpn:EROR] vpn_connection:837 IO write local failed. [-1 of 33]
+20220122 00:13:57.857 [sslvpn:EROR] vpn_connection:1379 Error: Disconnected because of error: IO write local failed.
+20220122 00:13:57.857 [sslvpn:INFO] vpn_connection:1493 /remote/logout
+20220122 00:13:57.875 [sslvpn:INFO] sslvpn:751 Logout successful
+</code>
+See the error 'IO write local failed' - this is due to a misconfiguration on the Fortigate machine (the initial source ip pool was 192.168.0.0/24 for tunnel clients, but this range is already used by the second branch, which means the ip cannot be assigned to another interface, in this case, ssl.root).
 ==== e2. Remote authentication [5p] ====
 Besides local authentication, we can use LDAP/RADIUS/TACACS+ servers (remote ones).
@@ Line 184: / Line 226: @@
 As in our topology clients from both branches do not have Internet access, we are going to use a new Linux node (same config as above, but mac address will be **50:00:00:byte_2_eveng_ip:byte3_eveng_ip+4:byte4_eveng_ip**) that is also connected to Cloud0 network.
-{{:sred:ex2_topology.png?800|}}
+{{:sred:sred_lab10_2022_2.png?900|}}
 e2.1: Go to radius_server device and install + configure freeradius:
@@ Line 228: / Line 270: @@
 e2.3: Add the new user to the already existing group **testgroup**
-e2.4: Go again to remote Linux device and try to authenticate to ssl-vpn portal using student:stud123. Check again ping to 192.168.0.2
+e2.4: Go again to remote Linux device and try to authenticate to ssl-vpn portal using student:stud123. Check again ping to 172.16.0.2