Tag Archives: VPN Connectivity

The resulting benefits of a VPN can, depending on the VPN protocol used, be supplemented by encryption that enables tap-proof and manipulation-proof communication between the VPN partners.

FortiClient TLS VPN connection failed

FortiClient Failed to establish the VPN connection by TLS. This may be caused by a mismatch in the TLS version. Please check the TLS version settings in the Advanced of the Internet options. (-5029)

Using FortiClient to establish an SSL-VPN connection to the FortiGate can output a warning message.

Symptom

FortiClient Warning. Failed to establish the VPN connection. This may be caused by a mismatch in the TLS version. Please check the TLS version settings in the Advanced of the Internet options. (-5029)

Cause

FortiClient TLS VPN connection failed

The now outdated cryptographic protocol TLS 1.0 is no longer enabled by default as of FortiOS 6.0. It is recommended to use at least TLS 1.1 (Cipher Suites) for authentication and data encryption. We are currently on TLS 1.3 which has been approved by the IETF (Internet Engineering Task Force).

Solution

If you want to continue use older FortiClient VPN connection that are only ready for use later with TLS 1.2 or higher may if planned client migration via update rollout, TLS 1.0 can be activated on the FortiGate.

This measure should only be used temporarily, TLS 1.0 is outdated and is no longer considered secure.

Check current TLS settings

Check the current TLS setting from the FortiGate VPN Console with CLI Command:

FG60E # get vpn ssl settings | grep tls
tlsv1-0             : disable
tlsv1-1             : enable
tlsv1-2             : enable
dtls-hello-timeout  : 10
dtls-tunnel         : enable

Activate in the CLI the Cipher Suite TLS 1.0.

config vpn ssl settings
set tlsv1-0 enable

How to enable TLS 1.0 on Windows


The TLS version 1.0 in the Microsoft Windows snap-in (inetcpl) Internet Options can also be activate.

Windows-Logo + R

Hit the key Win+R and enter inetcpl.cpl

Run inetcpl.cpl

In the opened Internet Options window Internet Properties click to Advanced tab and click Use TLS Version 1.0 to enable it.

TLS FortiClient VPN connection, Internet Options Advanced

Troubleshooting MTU size in VPN connections

According to FortiClient VPN TLS using on older Windows versions, or with routers with PPPoE Internet connection, errors when establishing SSL-VPN connections can be eliminated as follows.

It appears the FortiClient error message:

Unable to establish the VPN connection. The VPN server may be unreachable (-5)

Check MTU size using netsh in command prompt

To do this, check the MTU size of the network interfaces with the following command from an open command prompt

netsh interface ipv4 show subinterface

The output might look something like this:

C:\> netsh interface ipv4 show subinterface

   MTU  Medienerkennungsstatus   Bytes eingehend  Bytes ausgehend  Schnittstelle
------  ---------------  ---------  ---------  -------------
  1500                5          0          0  Ethernet
  1500                1  598892209   19487894  WiFi
  1500                5          0          0  Mobilfunk
  1500                1       5248     144442  VMware Network Adapter VMnet1
  1500                5          0          0  LAN-Verbindung* 1
  1500                1          0     134436  VMware Network Adapter VMnet8
  1500                5          0          0  LAN-Verbindung* 5
4294967295                1          0      67869  Loopback Pseudo-Interface 1
  1500                5          0          0  Bluetooth-Netzwerkverbindung
  1500                5          0          0  Ethernet 3

Check the MTU size and adjust to 1400 if necessary. In a command prompt opened as an administrator, with running netsh.

netsh interface ip4 set subinterface Ethernet mtu=1400 store=persistent

Alternatively, call Regedit and navigate to the following key.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

under the appropriate interface with the appropriate IP address, here {222e135b-d09c-47a3-9236-63a041a02ea6} change the key MTU with the value 578 hexadecimal.

TLS FortiClient VPN connection, regedit interfaces

After restarting the computer, the SSL-VPN connection can be established.

FortiOS CVE-2018-13379 Advisory FG-IR-18-384

Allegedly, many admins did not update their FortiGate VPNs, so that attackers attack systems. The reason is the exploit code for the vulnerability (CVE-2018-13379) from 2019 that has now emerged.

Successful attacks on the SSL-VPN configured FortiOS should be made possible by sending prepared HTTP requests. Attackers could access system files and thus gain access to unencrypted access data, for example. They could then log into vulnerable VPN firewalls and compromise them.

FortiOS, which is used on FortiGate firewalls, has a total of six security holes in several versions of the Security Network operating system that affect the SSL-VPN web portal. Fortinet has published the FortiGuard Security Advisories with update notes.

FortiGuard PSIRT Advisory

Der original Textauszug:

FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests

Summary

A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
Impact

Information Disclosure
Affected Products
FortiOS 6.0 – 6.0.0 to 6.0.4
FortiOS 5.6 – 5.6.3 to 5.6.7
FortiOS 5.4 – 5.4.6 to 5.4.12
(other branches and versions than above are not impacted)
ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.
Solutions

Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.

Workarounds:

As a temporary solution, the only workaround is to totally disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands:

config vpn ssl settings
unset source-interface
end

Note that firewall policies tied to SSL VPN will need to be unset first for the above sequence to execute successfully.

As an example, when source-interface is “port1” and SSL VPN interface is “ssl.root”, the following CLI commands would be needed to ensure “unset source-interface” executes successfully:

config vpn ssl settings
config authentication-rule
purge (purge all authentication-rules)
end
end

config firewall policy
delete [policy-id] (SSL VPN policy ID(s) that srcintf is “ssl.root” and dstintf is “port1”)
end

Note that code to exploit this vulnerability in order to obtain the credentials of logged in SSL VPN users was disclosed. In absence of upgrading to the versions listed above, mitigating the impact of this exploit can be done by enabling two-factor authentication for SSL VPN users. An attacker would then not be able to use stolen credentials to impersonate SSL VPN users.