Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 27 subscribers
  • Views 42034 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN - Can Connect But No Traffic

dma0

Having quite a bit of difficulty configuring SSL VPN. I can now successfully establish an SSL VPN connection through the client (I get the green light) and confirm that I get assigned an IP from the SSL VPN pool. But I cannot connect to anything at all. When I try pinging the firewall (or any other IP address on the LAN) I get no results. When I turn on default gateway, I cannot access any external websites. It's like it's connected to nothing at all.

Even more odd is that the firewall rule I created shows traffic coming through:

And the logs also show traffic as being allowed:

2017-01-07 13:10:39
Firewall Rule
Allowed
david
2
tun0
PortB
10.81.234.6 :TCP(62959)
74.125.202.188 :TCP(5228)
User
00001
Open PCAP
2017-01-07 13:10:06
Firewall Rule
Allowed
david
2
tun0
PortB
10.81.234.6 :TCP(62931)
75.101.136.125 :TCP(80)
User
00001
Open PCAP
2017-01-07 13:11:06
Firewall Rule
Allowed
david
2
tun0
-
10.81.234.6 :TCP(62971)
38.112.113.153 :TCP(443)
User
00001
Open PCAP
 

 

I've followed the "Configuring SSL VPN for Remote Access" guide and have checked and rechecked my settings.

I also found another discussion that suggested a new host network be created and interface ports be deleted from the VPN config (Configure - VPN - SSL VPN (Remote Access), so I did that:

I've defined LAN as the entire subnet I'm using for the LAN:

SSL VPN settings have been left at the defaults, other than changing encryption to AES-256-CBC.

I've not bothered posting the other SSL VPN settings seeing as how I can establish the VPN connection.

This is driving me nuts. Might anyone have any suggestions as to what I might be doing wrong?



This thread was automatically locked due to age.
Parents
  • 0

    Just a further note: In tunnel access, rather than trying to add an IP subnet, thought I'd try to add an IP range to see if that might work, so I created new network resource within the SSL VPN (Remote Access) screen under Permitted Network Resources (IPv4) and added it. Or at least I thought I added it. When I checked the settings, it hadn't been added, nor can I even select the newly created range under Permitted Network Resources (IPv4).

    The definition was definitely created. When I go into System - Hosts and Services - IP Hosts, its still listed there:

    But it doesn't show up as a permitted selection under Tunnel Access:

    I must say, just as an editorial comment, that setting up VPN under UTM 9 was so, so much easier and straightforward.

Reply
  • 0

    Just a further note: In tunnel access, rather than trying to add an IP subnet, thought I'd try to add an IP range to see if that might work, so I created new network resource within the SSL VPN (Remote Access) screen under Permitted Network Resources (IPv4) and added it. Or at least I thought I added it. When I checked the settings, it hadn't been added, nor can I even select the newly created range under Permitted Network Resources (IPv4).

    The definition was definitely created. When I go into System - Hosts and Services - IP Hosts, its still listed there:

    But it doesn't show up as a permitted selection under Tunnel Access:

    I must say, just as an editorial comment, that setting up VPN under UTM 9 was so, so much easier and straightforward.

Children
  • 0 in reply to dma0

    Oops. Just found another post with the same issue. Will work through the suggested approach there.

  • 0 in reply to dma0

    And, turns out I already worked through the suggested solution, with the exception of adding VPN to the #Default_Network_Policy. Wasn't sure if it should be added to Source or Destination. Tried both but still no traffic, no pings, no traffic.

    Very frustrating. 

  • 0 in reply to dma0

    dma0,

    send me a PM and I will have a look at your problem.

  • 0 in reply to lferrara

    Thanks and done.

    Also, from the client end, things (at least as far as I can tell) seem OK:

    From the client log:

    Sun Jan 08 01:06:04 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 10.81.234.0/10.81.234.6/255.255.255.0 [SUCCEEDED]
    Sun Jan 08 01:06:04 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.81.234.6/255.255.255.0 on interface {B9F62FC7-306F-468D-B989-B4433B6EF043} [DHCP-serv: 10.81.234.254, lease-time: 31536000]
    Sun Jan 08 01:06:04 2017 Successful ARP Flush on interface [12] {B9F62FC7-306F-468D-B989-B4433B6EF043}
    Sun Jan 08 01:06:08 2017 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
    Sun Jan 08 01:06:08 2017 MANAGEMENT: >STATE:1483855568,ADD_ROUTES,,,,,,
    Sun Jan 08 01:06:08 2017 C:\WINDOWS\system32\route.exe ADD 99.231.148.127 MASK 255.255.255.255 192.168.43.1
    Sun Jan 08 01:06:08 2017 Route addition via service succeeded
    Sun Jan 08 01:06:08 2017 C:\WINDOWS\system32\route.exe ADD 10.0.0.0 MASK 255.255.255.0 10.81.234.5
    Sun Jan 08 01:06:08 2017 Route addition via service succeeded
    Sun Jan 08 01:06:08 2017 C:\WINDOWS\system32\route.exe ADD 99.231.148.127 MASK 255.255.255.255 192.168.43.1
    Sun Jan 08 01:06:08 2017 ROUTE: route addition failed using service: The object already exists. [status=5010 if_index=14]
    Sun Jan 08 01:06:08 2017 Route addition via service failed
    Sun Jan 08 01:06:08 2017 Initialization Sequence Completed
    Sun Jan 08 01:06:08 2017 MANAGEMENT: >STATE:1483855568,CONNECTED,SUCCESS,10.81.234.6,99.231.148.127,8443,,
    From ipconfig:
    Ethernet adapter Ethernet 2:
    Connection-specific DNS Suffix . :
     Link-local IPv6 Address . . . . . : fe80::7021:81ee:a6a3:1e23%12
     IPv4 Address. . . . . . . . . . . : 10.81.234.6
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . :
    Wireless LAN adapter Wi-Fi:
    Connection-specific DNS Suffix . :
     Link-local IPv6 Address . . . . . : fe80::e594:ee65:d831:65be%14
     IPv4 Address. . . . . . . . . . . : 192.168.43.130
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 192.168.43.1

    From netstat -rn:

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
     0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.130 55
     10.0.0.0 255.255.255.0 10.81.234.5 10.81.234.6 257
     10.81.234.0 255.255.255.0 On-link 10.81.234.6 257
     10.81.234.6 255.255.255.255 On-link 10.81.234.6 257
     10.81.234.255 255.255.255.255 On-link 10.81.234.6 257
     99.231.148.127 255.255.255.255 192.168.43.1 192.168.43.130 311
     127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
     127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
     127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
     192.168.43.0 255.255.255.0 On-link 192.168.43.130 311
     192.168.43.130 255.255.255.255 On-link 192.168.43.130 311
     192.168.43.255 255.255.255.255 On-link 192.168.43.130 311
     224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
     224.0.0.0 240.0.0.0 On-link 10.81.234.6 257
     224.0.0.0 240.0.0.0 On-link 192.168.43.130 311
     255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
     255.255.255.255 255.255.255.255 On-link 10.81.234.6 257
     255.255.255.255 255.255.255.255 On-link 192.168.43.130 311
    ===========================================================================
    Persistent Routes:
     None