SSL VPN Debug

-

        It is very important to go through debug logs if there is an issue with SSL VPN. I have tried here to break down the debug flow so we can understand the flow of VPN and figure out the exact issue.

1st step:

  • Fortigate (FW) and client establish SSL tunnel 
  • It checks client cert requirements and TLS version supported by the client
  • At the end of this flow, you can see the TLS version and cypher used 
IMP: If you are facing any issue at this stage, you can try to verify the TLS version, ciphers and client cert requirement 



2nd step:
  • It matches the authentication rule and checks user credentials
  • It validates the authentication rule (if you have more than one auth role, it use the top to bottom approach
  • You can see authentication successful at last
IMP: If an issue occurs in this stage, you need to verify the auth rule and credentials


3rd step

  • In this step, it does hostcheck (hostcheck is basically checking whether the system support specified OS, registry, AV and firewall)
  • You can also see which portal we are using here (it is tunnel-access)
  • It reserves dynamic IP from the source pool

4th steps:

  • Again, it establishes an SSL connection.




5th Steps:

  • The tunnel is established
  • It does license checks against forticlient
  • Lastly, it establish PPP connection or service



6th steps:
  • Once a PPP connection is established, it negotiate LCP and IPCP protocol 

LCP :

  • The link control protocol (LCP) frames are transmitted during the link establishment and termination phases, and periodically during the life of the link.
  • They are used to negotiate the configuration of the PPP link, and to test and maintain the link, once it is established.



Client ---------------->LCP Request--MRC=1354-----------FW
       ---------------->LCP Request--MRC=1354<----------



[5123:root:0]RCV: LCP Configure_Request id(1) len(14) [Maximum_Received_Unit 1354] [Magic_Number FB7C1352] 
[5123:root:0]SND: LCP Configure_Request id(1) len(10) [Magic_Number 2858EE4F] 
[5123:root:0]lcp_reqci: returning CONFACK.
[5123:root:0]SND: LCP Configure_Ack id(1) len(14) [Maximum_Received_Unit 1354] [Magic_Number FB7C1352] 
[5123:root:0]RCV: LCP Configure_Ack id(1) len(10) [Magic_Number 2858EE4F] 
[5123:root:0]lcp_up: with mtu 1354

IPCP:

Internet Protocol Control Protocol (IPCP) is a Network Control Protocol (NCP) for establishing and configuring Internet Protocol over a Point-to-Point Protocol link.
It is responsible for configuring, enabling, and disabling the IP protocol modules on both ends of the point-to-point link. 


[5123:root:0]SND: IPCP Configure_Request id(1) [IP_Address 10.5.22.103] 
[5123:root:0]RCV: IPCP Configure_Request id(0) [IP_Address 0.0.0.0] [Primary_DNS_IP_Address 0.0.0.0] [Secondary_DNS_IP_Address 0.0.0.0] 
[5123:root:0]ipcp: returning Configure-NAK
[5123:root:0]SND: IPCP Configure_Nak id(0) [IP_Address 10.212.134.200] [Primary_DNS_IP_Address 127.0.0.1] [Secondary_DNS_IP_Address 127.0.0.1] 
[5123:root:0]RCV: IPCP Configure_Ack id(1) [IP_Address 10.5.22.103] 
[5123:root:0]RCV: IPCP Configure_Request id(1) [IP_Address 10.212.134.200] [Primary_DNS_IP_Address 127.0.0.1] [Secondary_DNS_IP_Address 127.0.0.1] 
[5123:root:0]ipcp: returning Configure-ACK
[5123:root:0]SND: IPCP Configure_Ack id(1) [IP_Address 10.212.134.200] [Primary_DNS_IP_Address 127.0.0.1] [Secondary_DNS_IP_Address 127.0.0.1] 
[5123:root:0]ipcp: up ppp:0x7f0c8ee4f000 caller:0x7f0c8eda0900 tun:37








Comments

Post a Comment

Popular posts from this blog

Backup your fortigate

-
         It is critical to take backup when it comes to upgrading or before making any configuration changes.  You should take the following backup: Configuration file Local certificates Why I should take Certificate backup? Because Unique SSL inspection CA and server certificates that are generated by your FortiGate by default are not saved in a system backup. Where I can save the backup? local PC, USB key, FTP, and TFTP server What if I have VDOM? If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM How to Backup? Click on the user name in the upper right-hand corner of the screen and select Configuration > Backup. Direct the backup to your Local PC or to a USB Disk.     The USB Disk option will not be available if no USB drive is       inserted in the USB port. If VDOMs are enabled, you can collect specific VDOM backup or the entire configuration Encryption. Encryption must ...
Read more

IPsec Main and Quick Mode packet flow (Decrypted)

-
Image
Main Mode 1st Message: Generation of the initiator cookie — An 8-byte pseudo-random number used for anticlogging CKY-I = md5{(src_ip, dest_ip), random number, time, and date} Generation of the responder cookie — An 8-byte pseudo-random number used for anticlogging CKY-R = md5{(src_ip, dest_ip), random number, time, and date} Main Mode 2nd Message: Before 3rd and 4th message: Public key: Xa ,Xb Nonce = Ni, Nr How public key is created? DH public value = Xa  Xa = g^a mod p g is the generator  p is a large prime number  a is a private secret known only to the initiator Main Mode 3rd message: Key exchange Public key NAT-D Main Mode 4th Message: Key exchange Public key NAT-D NAT-D Before 5th and 6th message: Initiator secret = (Xb)a mod p = (Xa)b mod p = responder secret  This value is the shared secret between the two parties and is also equal to g^ab PRF => Pseudo random function based on negotiated hash SKEYID's = PRF [ Pre-shared key , Ni ,Nr ]    SKEYID...
Read more