VPN

Windows XP系统SSL VPN连接FortiGate新版本的注意事项

kmliu 发表了文章 • 0 个评论 • 2318 次浏览 • 2018-07-09 15:59 • 来自相关话题

XP 连接FOS 5.4/5.6/6.0版本的SSL VPN必失败，必须在XP和FGT分别进行相应的参数修改。

理论上来说官方新版本已经不再支持XP系统连接SSL VPN，V5.6以后的官方版本已经彻底去掉了SSL v3协议，因此如果FGT使用默认SSL VPN的配置，XP系统是没办法连接到SSL VPN的，但是如果由于业务原因一定要使用XP系统连接SSL VPN，那么需要从两方面修改设置才可以让XP成功连接到SSL VPN：
XP方面的修改：
1.安装IE8-WindowsXP-x86-CHS.exe 浏览器
IE8下载地址

2.在浏览器“Internet选项”中开启TLS1.0协议

FGT SSL VPN方面配置修改：
1.ssl vpn 下面开启TLS1.0协议（5.4.X中还可以开启SSL V3），并降低加密强度
2.在SSL VPN setting里面的config authentication-rule 将加密算法的长度调整为any长度，默认为大于等于168位
config vpn ssl settings
    set sslv3 enable         //默认disable，FOS 5.6之后彻底删除掉了ssl v3
    set tlsv1-0 enable     //默认disable
    set algorithm medium 或 set algorithm low // 默认为 HIGH，XP系统的加密强度最弱无法满足要求    config authentication-rule
        edit 1
            set groups "Guest-group"
            set portal "full-access"
            set cipher any     //默认为HIGH
        next
    end
end

---------------------------------------------------------------
----------------------------------------------------------------
完整的配置举例说明：

1.定义user和user-group，ssl vpn用户资源的定义

2.新建内网网段IP地址对象，用于后续的SSL VPN隧道分割和策略调用

3.使用自带的full-access模板即可，开启隧道分割，选择内网网段IP地址对象，这就是内网资源的定义

4.配置SSL VPN的端口，关联ssl vpn user-group资源和full-access内网资源

5.配置SSL VPN的策略，注意源IP里面需要调用user-group，目的IP需要调用隧道分割网段，做一个用户组和资源组的相互关联

FortiGate的SSL VPN配置完毕，默认状态应该就是这样，这个时候会发现 WIN7 WIN10等下系统连接SSL VPN没有任何问题，但是XP系统则怎么样都无法连接上SSL VPN，具体有两种报错：

XP SSL VPN Client下载：
https://fortinet.egnyte.com/dl/sUFezSusMD

FortiClient以及小SSL VPN Client的更多下载可以参考：
http://support.fortinet.com.cn/index.php?m=content&c=index&a=show&catid=65&id=448

报错1： 40%的时候报错

FG100E4Q16003872 # diagnose debug application sslvpn -1
Debug messages will be on for 19 minutes.

FG100E4Q16003872 # diagnose debug enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24423:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24423:root:f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:f]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24423:root:f]SSL_accept failed, 5:(null)
[24423:root:f]Destroy sconn 0x35d6db00, connSize=0. (root)
[24424:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:fatal protocol version (192.168.91.126) // ssl 协议不匹配
[24424:root:f]SSL state:error:(null)(192.168.91.126)
[24424:root:f]SSL_accept failed, 1:unsupported protocol //不支持的ssl 协议

不支持的ssl协议

FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 disable //默认TLS1.0 disable，XP的IE8只有TLS1.0,因此TLS1.0必须打开
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm high   // XP没有太强的加密算法 DES-CBC3-SHA ，需要修改为medium 或 low

修改SSLVPN的配置：
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 enable
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm medium

报错2：48%的时候报错"没有权限-455"

FG100E4Q16003872 # diagnose debug application sslvpn -1
Debug messages will be on for 12 minutes.

FG100E4Q16003872 # diagnose debug enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24422:root:1b]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1b]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24422:root:1b]SSL_accept failed, 5:(null)
[24422:root:1b]Destroy sconn 0x35ce4b00, connSize=0. (root)
[24423:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1b]req: /remote/info
[24424:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1b]req: /remote/login
[24424:root:1b]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1b]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24422:root:1c]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1c]req: /remote/logincheck
[24422:root:1c]rmt_web_auth_info_parser_common:439 no session id in auth info
[24422:root:1c]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24422:root:1c]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24422:root:1c]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24422:root:1c]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24422:root:1c]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm (). //报错authentication rules 1错误
[24422:root:1c]sslvpn_validate_user_group_list:1484 checking rule 1 cipher. //cipher不匹配
[24422:root:1c]sslvpn_validate_user_group_list:1702 got user (0), group (0:0).
[24422:root:1c]no valid user or group candidate found.
[24423:root:1c]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1c]req: /FortiClientSslvpnClearCacheUrl/for/Wini
[24423:root:1c]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t

修改SSL VPN的配置：
FG100E4Q16003872 # config vpn ssl settings
FG100E4Q16003872 (settings) # config authentication-rule
FG100E4Q16003872 (authentication-rule) # edit 1
FG100E4Q16003872 (1) # show
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
    next
end
FG100E4Q16003872 (1) # show full-configuration
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
        set realm ''
        set client-cert disable
        set cipher high   //默认为HIGH 需要168位及以上的加密算法，但是XP的加密算法不符合要求
        set auth any
    next
end
FG100E4Q16003872 (1) # set cipher
any       Any cipher strength.
high      High cipher strength (>= 168 bits).
medium    Medium cipher strength (>= 128 bits).
FG100E4Q16003872 (1) # set cipher any   //修改为any，接收DES等低位数加密算法
FG100E4Q16003872 (1) # end
FG100E4Q16003872 (settings) # end

总结修改的配置：
FG100E4Q16003872 # config vpn ssl settings
FG100E4Q16003872 (settings) # show
config vpn ssl settings
    set tlsv1-0 enable
    set servercert "Fortinet_Factory"
    set algorithm medium
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set port 4443
    set source-interface "wan1"
    set source-address "all"
    set default-portal "full-access"
    config authentication-rule
        edit 1
            set groups "SSL_VPN_User_Group"
            set portal "full-access"
            set cipher any
        next
    end
end
然后XP拨号就可以了：

FG100E4Q16003872 # diagnose debug application sslvpn -1
Debug messages will be on for 1 minutes.
FG100E4Q16003872 # diagnose debug enable
[24423:root:1d]req: /remote/login
[24423:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24423:root:1d]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24424:root:1d]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1d]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1d]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1d]req: /remote/logincheck
[24424:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1d]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24424:root:1d]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24424:root:1d]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24424:root:1d]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm ().
[24424:root:1d]sslvpn_validate_user_group_list:1484 checking rule 1 cipher.
[24424:root:1d]sslvpn_validate_user_group_list:1492 checking rule 1 realm.
[24424:root:1d]sslvpn_validate_user_group_list:1503 checking rule 1 source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1542 checking rule 1 vd source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1614 rule 1 done, got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1702 got user (0), group (1:0).
[24424:root:1d]two factor check for user1: off
[24424:root:1d]sslvpn_authenticate_user:167 authenticate user: [user1]
[24424:root:1d]sslvpn_authenticate_user:174 create fam state
[24424:root:1d]fam_auth_send_req:577 with server blacklist:
[24424:root:1d]fam_auth_send_req_internal:449 fnbam_auth return: 0
[24424:root:1d]fam_auth_send_req_internal:455 authentication OK
[24424:root:1d]fam_do_cb:479 fnbamd return auth success.
[24424:root:1d]SSL VPN login matched rule (1).
[24424:root:1d]rmt_web_session_create:709 create web session, idx[0]
[24424:root:1d]login_succeeded:383 redirect to hostcheck
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1e]allocSSLConn:280 sconn 0x35ce4e00 (0:root)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1e]req: /
[24422:root:1e]mza: 0x12b74d4 /rmt_index.html
[24422:root:1e]def: 0x12b74d4 /rmt_index.html
[24423:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1e]req: /remote/index
[24423:root:1e]def: (nil) /remote/index
[24424:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1e]req: /remote/fortisslvpn
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]allocSSLConn:280 sconn 0x35ce5100 (0:root)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1f]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1f]req: /remote/fortisslvpn_xml
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]sslvpn_reserve_dynip:1143 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[24423:root:1f]allocSSLConn:280 sconn 0x35d28100 (0:root)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write session ticket (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1f]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[24423:root:1f]req: /remote/fortisslvpn_xml
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]allocSSLConn:280 sconn 0x35c77800 (0:root)
[24424:root:1f]DTLS established: DTLSv1 ECDHE-RSA-AES256-SHA from 192.168.91.126
[24424:root:1f]sslvpn_dtls_handle_client_data:651 got type clthello
[24424:root:1f]sslvpn_dtls_handle_client_data:661 got cookie: 7MShUOJ6QDpGmm0IpT18T2O7EaSKOhHN7ECzQEeVIwNnw/zbuRD1NTNqAmEQntupD1moCW9RXRJpb7AHHj7nMnOyT5P23kG3A6z5bkOqXlCy+JbqRqfH51rRLJNJO/ZDFilf47fXID95ELzjlfcXF+hCtPuWs80YmrzRvvyBXDCKa1PddCC8JNwnUyrZ9U1DLTI5lD8xxQw5gtnYlL4PiWSvpvEpsZZFXD1d1SFItu4hLasg26KLKzffLcHp4iQV
[24424:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]sconn 0x35c77800 (0:root) vfid=0 local=[202.100.1.25] remote=[192.168.91.126] dynamicip=[10.212.134.200]
[24424:root:1f]Prepare to launch ppp service ...
[24424:root:1f]tun: ppp 0x35e3f000 dev (ssl.root) opened fd 32
[24424:root:1f]Will add auth policy for policy 16 for user user1:SSL_VPN_User_Group
[24424:root:1f]Add auth logon for user user1:SSL_VPN_User_Group, matched group number 1
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: svrhello ok 192.168.91.126
[24423:root:1f]sslvpn_read_request_common,674, ret=-1 error=-1, sconn=0x35d28100.
[24423:root:1f]Destroy sconn 0x35d28100, connSize=2. (root)
[24424:root:0]RCV: LCP Configure_Request id(0) len(45) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU] [Multilink_Endpoint_Descriminator]
[24424:root:0]SND: LCP Configure_Request id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]lcp_reqci: returning CONFREJ.
[24424:root:0]SND: LCP Configure_Reject id(0) len(12) [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU]
[24424:root:0]RCV: LCP Configure_Ack id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]RCV: LCP Configure_Request id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_reqci: returning CONFACK.
[24424:root:0]SND: LCP Configure_Ack id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_up: with mtu 1354
[24424:root:0]SND: IPCP Configure_Request id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: CCP Configure_Request id(2) [Microsoft_PPC]
[24424:root:0]SND: LCP Protocol_Reject id(2) len(18)
[24424:root:0]RCV: IPCP Configure_Request id(3) [IP_Address 0.0.0.0] [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-REJ
[24424:root:0]SND: IPCP Configure_Reject id(3) [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]RCV: IPCP Configure_Ack id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: IPCP Configure_Request id(4) [IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-NAK
[24424:root:0]SND: IPCP Configure_Nak id(4) [IP_Address 10.212.134.200]
[24424:root:0]RCV: IPCP Configure_Request id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: returning Configure-ACK
[24424:root:0]SND: IPCP Configure_Ack id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: up ppp:0x35e3f000 caller:0x35c77800 tun:32
[24424:root:0]Cannot determine ethernet address for proxy ARP
[24424:root:0]local IP address 202.100.1.25
[24424:root:0]remote IP address 10.212.134.200
[24424:root:1f]sslvpn_ppp_associate_fd_to_ipaddr:279 associate 10.212.134.200 to tun (ssl.root:32)
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: heartbeat 192.168.91.126
[24424:root:1d]Timeout for connection 0x35d27b00.
[24424:root:1d]Destroy sconn 0x35d27b00, connSize=2. (root)
[24424:root:1e]Timeout for connection 0x35d27e00.
<---完---> 查看全部

XP 连接FOS 5.4/5.6/6.0版本的SSL VPN必失败，必须在XP和FGT分别进行相应的参数修改。

理论上来说官方新版本已经不再支持XP系统连接SSL VPN，V5.6以后的官方版本已经彻底去掉了SSL v3协议，因此如果FGT使用默认SSL VPN的配置，XP系统是没办法连接到SSL VPN的，但是如果由于业务原因一定要使用XP系统连接SSL VPN，那么需要从两方面修改设置才可以让XP成功连接到SSL VPN：
XP方面的修改：
1.安装IE8-WindowsXP-x86-CHS.exe 浏览器
IE8下载地址

2.在浏览器“Internet选项”中开启TLS1.0协议

FGT SSL VPN方面配置修改：
1.ssl vpn 下面开启TLS1.0协议（5.4.X中还可以开启SSL V3），并降低加密强度
2.在SSL VPN setting里面的config authentication-rule 将加密算法的长度调整为any长度，默认为大于等于168位
config vpn ssl settings
    set sslv3 enable         //默认disable，FOS 5.6之后彻底删除掉了ssl v3
    set tlsv1-0 enable     //默认disable
    set algorithm medium 或 set algorithm low // 默认为 HIGH，XP系统的加密强度最弱无法满足要求    config authentication-rule
        edit 1
            set groups "Guest-group"
            set portal "full-access"
            set cipher any     //默认为HIGH
        next
    end
end

---------------------------------------------------------------
----------------------------------------------------------------
完整的配置举例说明：

1.定义user和user-group，ssl vpn用户资源的定义

2.新建内网网段IP地址对象，用于后续的SSL VPN隧道分割和策略调用

3.使用自带的full-access模板即可，开启隧道分割，选择内网网段IP地址对象，这就是内网资源的定义

4.配置SSL VPN的端口，关联ssl vpn user-group资源和full-access内网资源

5.配置SSL VPN的策略，注意源IP里面需要调用user-group，目的IP需要调用隧道分割网段，做一个用户组和资源组的相互关联

FortiGate的SSL VPN配置完毕，默认状态应该就是这样，这个时候会发现 WIN7 WIN10等下系统连接SSL VPN没有任何问题，但是XP系统则怎么样都无法连接上SSL VPN，具体有两种报错：

XP SSL VPN Client下载：
https://fortinet.egnyte.com/dl/sUFezSusMD

FortiClient以及小SSL VPN Client的更多下载可以参考：
http://support.fortinet.com.cn/index.php?m=content&c=index&a=show&catid=65&id=448

报错1： 40%的时候报错

FG100E4Q16003872 # diagnose debug application sslvpn -1
Debug messages will be on for 19 minutes.

FG100E4Q16003872 # diagnose debug enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24423:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24423:root:f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:f]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24423:root:f]SSL_accept failed, 5:(null)
[24423:root:f]Destroy sconn 0x35d6db00, connSize=0. (root)
[24424:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:fatal protocol version (192.168.91.126) // ssl 协议不匹配
[24424:root:f]SSL state:error:(null)(192.168.91.126)
[24424:root:f]SSL_accept failed, 1:unsupported protocol //不支持的ssl 协议

不支持的ssl协议

FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 disable //默认TLS1.0 disable，XP的IE8只有TLS1.0,因此TLS1.0必须打开
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm high   // XP没有太强的加密算法 DES-CBC3-SHA ，需要修改为medium 或 low

修改SSLVPN的配置：
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 enable
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm medium

报错2：48%的时候报错"没有权限-455"

FG100E4Q16003872 # diagnose debug application sslvpn -1
Debug messages will be on for 12 minutes.

FG100E4Q16003872 # diagnose debug enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24422:root:1b]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1b]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24422:root:1b]SSL_accept failed, 5:(null)
[24422:root:1b]Destroy sconn 0x35ce4b00, connSize=0. (root)
[24423:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1b]req: /remote/info
[24424:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1b]req: /remote/login
[24424:root:1b]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1b]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24422:root:1c]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1c]req: /remote/logincheck
[24422:root:1c]rmt_web_auth_info_parser_common:439 no session id in auth info
[24422:root:1c]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24422:root:1c]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24422:root:1c]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24422:root:1c]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24422:root:1c]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm (). //报错authentication rules 1错误
[24422:root:1c]sslvpn_validate_user_group_list:1484 checking rule 1 cipher. //cipher不匹配
[24422:root:1c]sslvpn_validate_user_group_list:1702 got user (0), group (0:0).
[24422:root:1c]no valid user or group candidate found.
[24423:root:1c]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1c]req: /FortiClientSslvpnClearCacheUrl/for/Wini
[24423:root:1c]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t

修改SSL VPN的配置：
FG100E4Q16003872 # config vpn ssl settings
FG100E4Q16003872 (settings) # config authentication-rule
FG100E4Q16003872 (authentication-rule) # edit 1
FG100E4Q16003872 (1) # show
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
    next
end
FG100E4Q16003872 (1) # show full-configuration
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
        set realm ''
        set client-cert disable
        set cipher high   //默认为HIGH 需要168位及以上的加密算法，但是XP的加密算法不符合要求
        set auth any
    next
end
FG100E4Q16003872 (1) # set cipher
any       Any cipher strength.
high      High cipher strength (>= 168 bits).
medium    Medium cipher strength (>= 128 bits).
FG100E4Q16003872 (1) # set cipher any   //修改为any，接收DES等低位数加密算法
FG100E4Q16003872 (1) # end
FG100E4Q16003872 (settings) # end

总结修改的配置：
FG100E4Q16003872 # config vpn ssl settings
FG100E4Q16003872 (settings) # show
config vpn ssl settings
    set tlsv1-0 enable
    set servercert "Fortinet_Factory"
    set algorithm medium
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set port 4443
    set source-interface "wan1"
    set source-address "all"
    set default-portal "full-access"
    config authentication-rule
        edit 1
            set groups "SSL_VPN_User_Group"
            set portal "full-access"
            set cipher any
        next
    end
end
然后XP拨号就可以了：

FG100E4Q16003872 # diagnose debug application sslvpn -1
Debug messages will be on for 1 minutes.
FG100E4Q16003872 # diagnose debug enable
[24423:root:1d]req: /remote/login
[24423:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24423:root:1d]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24424:root:1d]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1d]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1d]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1d]req: /remote/logincheck
[24424:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1d]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24424:root:1d]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24424:root:1d]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24424:root:1d]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm ().
[24424:root:1d]sslvpn_validate_user_group_list:1484 checking rule 1 cipher.
[24424:root:1d]sslvpn_validate_user_group_list:1492 checking rule 1 realm.
[24424:root:1d]sslvpn_validate_user_group_list:1503 checking rule 1 source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1542 checking rule 1 vd source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1614 rule 1 done, got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1702 got user (0), group (1:0).
[24424:root:1d]two factor check for user1: off
[24424:root:1d]sslvpn_authenticate_user:167 authenticate user: [user1]
[24424:root:1d]sslvpn_authenticate_user:174 create fam state
[24424:root:1d]fam_auth_send_req:577 with server blacklist:
[24424:root:1d]fam_auth_send_req_internal:449 fnbam_auth return: 0
[24424:root:1d]fam_auth_send_req_internal:455 authentication OK
[24424:root:1d]fam_do_cb:479 fnbamd return auth success.
[24424:root:1d]SSL VPN login matched rule (1).
[24424:root:1d]rmt_web_session_create:709 create web session, idx[0]
[24424:root:1d]login_succeeded:383 redirect to hostcheck
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1e]allocSSLConn:280 sconn 0x35ce4e00 (0:root)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1e]req: /
[24422:root:1e]mza: 0x12b74d4 /rmt_index.html
[24422:root:1e]def: 0x12b74d4 /rmt_index.html
[24423:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1e]req: /remote/index
[24423:root:1e]def: (nil) /remote/index
[24424:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1e]req: /remote/fortisslvpn
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]allocSSLConn:280 sconn 0x35ce5100 (0:root)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1f]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1f]req: /remote/fortisslvpn_xml
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]sslvpn_reserve_dynip:1143 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[24423:root:1f]allocSSLConn:280 sconn 0x35d28100 (0:root)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write session ticket (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1f]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[24423:root:1f]req: /remote/fortisslvpn_xml
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]allocSSLConn:280 sconn 0x35c77800 (0:root)
[24424:root:1f]DTLS established: DTLSv1 ECDHE-RSA-AES256-SHA from 192.168.91.126
[24424:root:1f]sslvpn_dtls_handle_client_data:651 got type clthello
[24424:root:1f]sslvpn_dtls_handle_client_data:661 got cookie: 7MShUOJ6QDpGmm0IpT18T2O7EaSKOhHN7ECzQEeVIwNnw/zbuRD1NTNqAmEQntupD1moCW9RXRJpb7AHHj7nMnOyT5P23kG3A6z5bkOqXlCy+JbqRqfH51rRLJNJO/ZDFilf47fXID95ELzjlfcXF+hCtPuWs80YmrzRvvyBXDCKa1PddCC8JNwnUyrZ9U1DLTI5lD8xxQw5gtnYlL4PiWSvpvEpsZZFXD1d1SFItu4hLasg26KLKzffLcHp4iQV
[24424:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]sconn 0x35c77800 (0:root) vfid=0 local=[202.100.1.25] remote=[192.168.91.126] dynamicip=[10.212.134.200]
[24424:root:1f]Prepare to launch ppp service ...
[24424:root:1f]tun: ppp 0x35e3f000 dev (ssl.root) opened fd 32
[24424:root:1f]Will add auth policy for policy 16 for user user1:SSL_VPN_User_Group
[24424:root:1f]Add auth logon for user user1:SSL_VPN_User_Group, matched group number 1
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: svrhello ok 192.168.91.126
[24423:root:1f]sslvpn_read_request_common,674, ret=-1 error=-1, sconn=0x35d28100.
[24423:root:1f]Destroy sconn 0x35d28100, connSize=2. (root)
[24424:root:0]RCV: LCP Configure_Request id(0) len(45) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU] [Multilink_Endpoint_Descriminator]
[24424:root:0]SND: LCP Configure_Request id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]lcp_reqci: returning CONFREJ.
[24424:root:0]SND: LCP Configure_Reject id(0) len(12) [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU]
[24424:root:0]RCV: LCP Configure_Ack id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]RCV: LCP Configure_Request id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_reqci: returning CONFACK.
[24424:root:0]SND: LCP Configure_Ack id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_up: with mtu 1354
[24424:root:0]SND: IPCP Configure_Request id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: CCP Configure_Request id(2) [Microsoft_PPC]
[24424:root:0]SND: LCP Protocol_Reject id(2) len(18)
[24424:root:0]RCV: IPCP Configure_Request id(3) [IP_Address 0.0.0.0] [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-REJ
[24424:root:0]SND: IPCP Configure_Reject id(3) [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]RCV: IPCP Configure_Ack id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: IPCP Configure_Request id(4) [IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-NAK
[24424:root:0]SND: IPCP Configure_Nak id(4) [IP_Address 10.212.134.200]
[24424:root:0]RCV: IPCP Configure_Request id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: returning Configure-ACK
[24424:root:0]SND: IPCP Configure_Ack id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: up ppp:0x35e3f000 caller:0x35c77800 tun:32
[24424:root:0]Cannot determine ethernet address for proxy ARP
[24424:root:0]local IP address 202.100.1.25
[24424:root:0]remote IP address 10.212.134.200
[24424:root:1f]sslvpn_ppp_associate_fd_to_ipaddr:279 associate 10.212.134.200 to tun (ssl.root:32)
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: heartbeat 192.168.91.126
[24424:root:1d]Timeout for connection 0x35d27b00.
[24424:root:1d]Destroy sconn 0x35d27b00, connSize=2. (root)
[24424:root:1e]Timeout for connection 0x35d27e00.
<---完--->

通知设置新通知

给拨号VPN的用户分配固定IP地址

FGT200B 4.0版本和 FGT200E 6.0版本怎么做IPsecVPN隧道

拨号IPsec VPN处理机制更新 (“set net-device disable”)

ios版forticlient为何在appstore下架了

ipsec vpn

关于重叠子网的站点到站点IPsec VPN场景中的VIP应用问题

fortigate 和 ssg140 基于路由的模式建设点到点的ipsec vpn

forticlient 在1809上的问题

ipsec vpn的共享密钥忘记密码了，命令行的文件可以翻译出来吗？

Windows XP系统SSL VPN连接FortiGate新版本的注意事项

热门话题

热门用户

通知设置 新通知

VPN

热门话题

热门用户

通知设置新通知