ssl vpn连接不上

ssl vpn连接不上

Windows XP系统SSL VPN连接FortiGate新版本的注意事项

VPNkmliu 发表了文章 • 0 个评论 • 710 次浏览 • 2018-07-09 15:59 • 来自相关话题

XP 连接FOS 5.4/5.6/6.0版本的SSL VPN必失败,必须在XP和FGT分别进行相应的参数修改。
 
理论上来说官方新版本已经不再支持XP系统连接SSL VPN,V5.6以后的官方版本已经彻底去掉了SSL v3协议,因此如果FGT使用默认SSL VPN的配置,XP系统是没办法连接到SSL VPN的,但是如果由于业务原因一定要使用XP系统连接SSL VPN,那么需要从两方面修改设置才可以让XP成功连接到SSL VPN:
 XP方面的修改:
1.安装IE8-WindowsXP-x86-CHS.exe 浏览器 
IE8下载地址




 2.在浏览器“Internet选项”中开启TLS1.0协议




 FGT SSL VPN方面配置修改:
1.ssl vpn 下面开启TLS1.0协议(5.4.X中还可以开启SSL V3),并降低加密强度
2.在SSL VPN setting里面的config authentication-rule 将加密算法的长度调整为any长度,默认为大于等于168位
config vpn ssl settings
    set sslv3 enable             //默认disable,FOS 5.6之后彻底删除掉了ssl v3
    set tlsv1-0 enable       //默认disable
    set algorithm medium 或 set algorithm low // 默认为 HIGH,XP系统的加密强度最弱无法满足要求    config authentication-rule
        edit 1
            set groups "Guest-group"
            set portal "full-access"
            set cipher any       //默认为HIGH
        next
    end
end
 
 
 ---------------------------------------------------------------
----------------------------------------------------------------
完整的配置举例说明:
 
1.定义user和user-group,ssl vpn用户 资源的定义







2.新建内网网段IP地址对象,用于后续的SSL VPN隧道分割和策略调用




 
3.使用自带的full-access模板即可,开启隧道分割,选择内网网段IP地址对象,这就是内网资源的定义







 
4.配置SSL VPN的端口,关联ssl  vpn user-group资源和full-access内网资源







 
5.配置SSL  VPN的策略,注意源IP里面需要调用user-group,目的IP需要调用隧道分割网段,做一个用户组和资源组的相互关联



 
FortiGate的SSL VPN配置完毕,默认状态应该就是这样,这个时候会发现 WIN7 WIN10等下系统连接SSL VPN没有任何问题,但是XP系统则怎么样都无法连接上SSL VPN,具体有两种报错:
 
XP SSL VPN Client下载:
https://fortinet.egnyte.com/dl/sUFezSusMD 
 
FortiClient以及小SSL  VPN Client的 更多下载可以参考:
http://support.fortinet.com.cn/index.php?m=content&c=index&a=show&catid=65&id=448









 
报错1:  40%的时候报错




 
FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 19 minutes.

FG100E4Q16003872 # diagnose debug  enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24423:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24423:root:f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:f]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24423:root:f]SSL_accept failed, 5:(null)
[24423:root:f]Destroy sconn 0x35d6db00, connSize=0. (root)
[24424:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:fatal protocol version (192.168.91.126)  // ssl 协议不匹配
[24424:root:f]SSL state:error:(null)(192.168.91.126)
[24424:root:f]SSL_accept failed, 1:unsupported protocol  //不支持的ssl 协议
 
不支持的ssl协议
 
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 disable //默认TLS1.0 disable,XP的IE8只有TLS1.0,因此TLS1.0必须打开
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm high   //  XP没有太强的加密算法 DES-CBC3-SHA ,需要修改为medium 或 low
 
修改SSLVPN的配置:
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 enable
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm medium
 
报错2:48%的时候报错"没有权限-455"




 
FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 12 minutes.

FG100E4Q16003872 # diagnose debug  enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24422:root:1b]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1b]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24422:root:1b]SSL_accept failed, 5:(null)
[24422:root:1b]Destroy sconn 0x35ce4b00, connSize=0. (root)
[24423:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1b]req: /remote/info
[24424:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1b]req: /remote/login
[24424:root:1b]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1b]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24422:root:1c]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1c]req: /remote/logincheck
[24422:root:1c]rmt_web_auth_info_parser_common:439 no session id in auth info
[24422:root:1c]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24422:root:1c]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24422:root:1c]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24422:root:1c]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24422:root:1c]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm (). //报错authentication rules 1错误
[24422:root:1c]sslvpn_validate_user_group_list:1484 checking rule 1 cipher. //cipher不匹配
[24422:root:1c]sslvpn_validate_user_group_list:1702 got user (0), group (0:0).
[24422:root:1c]no valid user or group candidate found.
[24423:root:1c]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1c]req: /FortiClientSslvpnClearCacheUrl/for/Wini
[24423:root:1c]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t
 
修改SSL VPN的配置:
FG100E4Q16003872 # config vpn  ssl settings
FG100E4Q16003872 (settings) # config authentication-rule
FG100E4Q16003872 (authentication-rule) # edit 1
FG100E4Q16003872 (1) # show
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
    next
end
FG100E4Q16003872 (1) # show full-configuration
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
        set realm ''
        set client-cert disable
        set cipher high   //默认为HIGH 需要168位及以上的加密算法,但是XP的加密算法不符合要求
        set auth any
    next
end
FG100E4Q16003872 (1) # set cipher
any       Any cipher strength.
high      High cipher strength (>= 168 bits).
medium    Medium cipher strength (>= 128 bits).
FG100E4Q16003872 (1) # set cipher any   //修改为any,接收DES等低位数加密算法
FG100E4Q16003872 (1) # end
FG100E4Q16003872 (settings) # end
 
总结修改的配置:
 FG100E4Q16003872 # config vpn ssl settings
FG100E4Q16003872 (settings) # show
config vpn ssl settings
    set tlsv1-0 enable
    set servercert "Fortinet_Factory"
    set algorithm medium
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set port 4443
    set source-interface "wan1"
    set source-address "all"
    set default-portal "full-access"
    config authentication-rule
        edit 1
            set groups "SSL_VPN_User_Group"
            set portal "full-access"
            set cipher any
        next
    end
end
 然后XP拨号就可以了:








FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 1 minutes.
FG100E4Q16003872 # diagnose debug  enable
[24423:root:1d]req: /remote/login
[24423:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24423:root:1d]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24424:root:1d]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1d]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1d]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1d]req: /remote/logincheck
[24424:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1d]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24424:root:1d]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24424:root:1d]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24424:root:1d]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm ().
[24424:root:1d]sslvpn_validate_user_group_list:1484 checking rule 1 cipher.
[24424:root:1d]sslvpn_validate_user_group_list:1492 checking rule 1 realm.
[24424:root:1d]sslvpn_validate_user_group_list:1503 checking rule 1 source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1542 checking rule 1 vd source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1614 rule 1 done, got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1702 got user (0), group (1:0).
[24424:root:1d]two factor check for user1: off
[24424:root:1d]sslvpn_authenticate_user:167 authenticate user: [user1]
[24424:root:1d]sslvpn_authenticate_user:174 create fam state
[24424:root:1d]fam_auth_send_req:577 with server blacklist:
[24424:root:1d]fam_auth_send_req_internal:449 fnbam_auth return: 0
[24424:root:1d]fam_auth_send_req_internal:455 authentication OK
[24424:root:1d]fam_do_cb:479 fnbamd return auth success.
[24424:root:1d]SSL VPN login matched rule (1).
[24424:root:1d]rmt_web_session_create:709 create web session, idx[0]
[24424:root:1d]login_succeeded:383 redirect to hostcheck
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1e]allocSSLConn:280 sconn 0x35ce4e00 (0:root)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1e]req: /
[24422:root:1e]mza: 0x12b74d4 /rmt_index.html
[24422:root:1e]def: 0x12b74d4 /rmt_index.html
[24423:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1e]req: /remote/index
[24423:root:1e]def: (nil) /remote/index
[24424:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1e]req: /remote/fortisslvpn
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]allocSSLConn:280 sconn 0x35ce5100 (0:root)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1f]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1f]req: /remote/fortisslvpn_xml
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]sslvpn_reserve_dynip:1143 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[24423:root:1f]allocSSLConn:280 sconn 0x35d28100 (0:root)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write session ticket (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1f]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[24423:root:1f]req: /remote/fortisslvpn_xml
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]allocSSLConn:280 sconn 0x35c77800 (0:root)
[24424:root:1f]DTLS established: DTLSv1 ECDHE-RSA-AES256-SHA from 192.168.91.126
[24424:root:1f]sslvpn_dtls_handle_client_data:651 got type clthello
[24424:root:1f]sslvpn_dtls_handle_client_data:661 got cookie: 7MShUOJ6QDpGmm0IpT18T2O7EaSKOhHN7ECzQEeVIwNnw/zbuRD1NTNqAmEQntupD1moCW9RXRJpb7AHHj7nMnOyT5P23kG3A6z5bkOqXlCy+JbqRqfH51rRLJNJO/ZDFilf47fXID95ELzjlfcXF+hCtPuWs80YmrzRvvyBXDCKa1PddCC8JNwnUyrZ9U1DLTI5lD8xxQw5gtnYlL4PiWSvpvEpsZZFXD1d1SFItu4hLasg26KLKzffLcHp4iQV
[24424:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]sconn 0x35c77800 (0:root) vfid=0 local=[202.100.1.25] remote=[192.168.91.126] dynamicip=[10.212.134.200]
[24424:root:1f]Prepare to launch ppp service ...
[24424:root:1f]tun: ppp 0x35e3f000 dev (ssl.root) opened fd 32
[24424:root:1f]Will add auth policy for policy 16 for user user1:SSL_VPN_User_Group
[24424:root:1f]Add auth logon for user user1:SSL_VPN_User_Group, matched group number 1
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: svrhello ok 192.168.91.126
[24423:root:1f]sslvpn_read_request_common,674, ret=-1 error=-1, sconn=0x35d28100.
[24423:root:1f]Destroy sconn 0x35d28100, connSize=2. (root)
[24424:root:0]RCV: LCP Configure_Request id(0) len(45) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU] [Multilink_Endpoint_Descriminator]
[24424:root:0]SND: LCP Configure_Request id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]lcp_reqci: returning CONFREJ.
[24424:root:0]SND: LCP Configure_Reject id(0) len(12) [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU]
[24424:root:0]RCV: LCP Configure_Ack id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]RCV: LCP Configure_Request id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_reqci: returning CONFACK.
[24424:root:0]SND: LCP Configure_Ack id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_up: with mtu 1354
[24424:root:0]SND: IPCP Configure_Request id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: CCP Configure_Request id(2) [Microsoft_PPC]
[24424:root:0]SND: LCP Protocol_Reject id(2) len(18)
[24424:root:0]RCV: IPCP Configure_Request id(3) [IP_Address 0.0.0.0] [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-REJ
[24424:root:0]SND: IPCP Configure_Reject id(3) [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]RCV: IPCP Configure_Ack id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: IPCP Configure_Request id(4) [IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-NAK
[24424:root:0]SND: IPCP Configure_Nak id(4) [IP_Address 10.212.134.200]
[24424:root:0]RCV: IPCP Configure_Request id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: returning Configure-ACK
[24424:root:0]SND: IPCP Configure_Ack id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: up ppp:0x35e3f000 caller:0x35c77800 tun:32
[24424:root:0]Cannot determine ethernet address for proxy ARP
[24424:root:0]local  IP address 202.100.1.25
[24424:root:0]remote IP address 10.212.134.200
[24424:root:1f]sslvpn_ppp_associate_fd_to_ipaddr:279 associate 10.212.134.200 to tun (ssl.root:32)
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: heartbeat  192.168.91.126
[24424:root:1d]Timeout for connection 0x35d27b00.
[24424:root:1d]Destroy sconn 0x35d27b00, connSize=2. (root)
[24424:root:1e]Timeout for connection 0x35d27e00.
<---完---> 查看全部
XP 连接FOS 5.4/5.6/6.0版本的SSL VPN必失败,必须在XP和FGT分别进行相应的参数修改。
 
理论上来说官方新版本已经不再支持XP系统连接SSL VPN,V5.6以后的官方版本已经彻底去掉了SSL v3协议,因此如果FGT使用默认SSL VPN的配置,XP系统是没办法连接到SSL VPN的,但是如果由于业务原因一定要使用XP系统连接SSL VPN,那么需要从两方面修改设置才可以让XP成功连接到SSL VPN:
 XP方面的修改:
1.安装IE8-WindowsXP-x86-CHS.exe 浏览器 
IE8下载地址
XP1.png

 2.在浏览器“Internet选项”中开启TLS1.0协议
SSL_VPN_15.png

 FGT SSL VPN方面配置修改:
1.ssl vpn 下面开启TLS1.0协议(5.4.X中还可以开启SSL V3),并降低加密强度
2.在SSL VPN setting里面的config authentication-rule 将加密算法的长度调整为any长度,默认为大于等于168位
config vpn ssl settings
    set sslv3 enable             //默认disable,FOS 5.6之后彻底删除掉了ssl v3
    set tlsv1-0 enable       //默认disable
    set algorithm medium 或 set algorithm low // 默认为 HIGH,XP系统的加密强度最弱无法满足要求    config authentication-rule
        edit 1
            set groups "Guest-group"
            set portal "full-access"
            set cipher any       //默认为HIGH
        next
    end
end
 
 
 ---------------------------------------------------------------
----------------------------------------------------------------
完整的配置举例说明:
 
1.定义user和user-group,ssl vpn用户 资源的定义
SSL_VPN_11.png

SSL_VPN_22.png

2.新建内网网段IP地址对象,用于后续的SSL VPN隧道分割和策略调用
SSL_VPN_6.png

 
3.使用自带的full-access模板即可,开启隧道分割,选择内网网段IP地址对象,这就是内网资源的定义
SSL_VPN_1.png

SSL_VPN_2.png

 
4.配置SSL VPN的端口,关联ssl  vpn user-group资源和full-access内网资源
SSL_VPN_3.png

SSL_VPN_4.png

 
5.配置SSL  VPN的策略,注意源IP里面需要调用user-group,目的IP需要调用隧道分割网段,做一个用户组和资源组的相互关联
SSL_VPN_5.png

 
FortiGate的SSL VPN配置完毕,默认状态应该就是这样,这个时候会发现 WIN7 WIN10等下系统连接SSL VPN没有任何问题,但是XP系统则怎么样都无法连接上SSL VPN,具体有两种报错:
 
XP SSL VPN Client下载:
https://fortinet.egnyte.com/dl/sUFezSusMD 
 
FortiClient以及小SSL  VPN Client的 更多下载可以参考:
http://support.fortinet.com.cn/index.php?m=content&c=index&a=show&catid=65&id=448
SSL_VPN_7.png

SSL_VPN_8.png


 
报错1:  40%的时候报错
SSL_VPN_9.png

 
FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 19 minutes.

FG100E4Q16003872 # diagnose debug  enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24423:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24423:root:f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:f]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24423:root:f]SSL_accept failed, 5:(null)
[24423:root:f]Destroy sconn 0x35d6db00, connSize=0. (root)
[24424:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:fatal protocol version (192.168.91.126)  // ssl 协议不匹配
[24424:root:f]SSL state:error:(null)(192.168.91.126)
[24424:root:f]SSL_accept failed, 1:unsupported protocol  //不支持的ssl 协议
 
不支持的ssl协议
 
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 disable //默认TLS1.0 disable,XP的IE8只有TLS1.0,因此TLS1.0必须打开
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm high   //  XP没有太强的加密算法 DES-CBC3-SHA ,需要修改为medium 或 low
 
修改SSLVPN的配置:
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 enable
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm medium
 
报错2:48%的时候报错"没有权限-455"
SSL_VPN_10.png

 
FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 12 minutes.

FG100E4Q16003872 # diagnose debug  enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24422:root:1b]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1b]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24422:root:1b]SSL_accept failed, 5:(null)
[24422:root:1b]Destroy sconn 0x35ce4b00, connSize=0. (root)
[24423:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1b]req: /remote/info
[24424:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1b]req: /remote/login
[24424:root:1b]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1b]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24422:root:1c]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1c]req: /remote/logincheck
[24422:root:1c]rmt_web_auth_info_parser_common:439 no session id in auth info
[24422:root:1c]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24422:root:1c]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24422:root:1c]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24422:root:1c]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24422:root:1c]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm (). //报错authentication rules 1错误
[24422:root:1c]sslvpn_validate_user_group_list:1484 checking rule 1 cipher. //cipher不匹配
[24422:root:1c]sslvpn_validate_user_group_list:1702 got user (0), group (0:0).
[24422:root:1c]no valid user or group candidate found.
[24423:root:1c]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1c]req: /FortiClientSslvpnClearCacheUrl/for/Wini
[24423:root:1c]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t
 
修改SSL VPN的配置:
FG100E4Q16003872 # config vpn  ssl settings
FG100E4Q16003872 (settings) # config authentication-rule
FG100E4Q16003872 (authentication-rule) # edit 1
FG100E4Q16003872 (1) # show
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
    next
end
FG100E4Q16003872 (1) # show full-configuration
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
        set realm ''
        set client-cert disable
        set cipher high   //默认为HIGH 需要168位及以上的加密算法,但是XP的加密算法不符合要求
        set auth any
    next
end
FG100E4Q16003872 (1) # set cipher
any       Any cipher strength.
high      High cipher strength (>= 168 bits).
medium    Medium cipher strength (>= 128 bits).
FG100E4Q16003872 (1) # set cipher any   //修改为any,接收DES等低位数加密算法
FG100E4Q16003872 (1) # end
FG100E4Q16003872 (settings) # end
 
总结修改的配置:
 FG100E4Q16003872 # config vpn ssl settings
FG100E4Q16003872 (settings) # show
config vpn ssl settings
    set tlsv1-0 enable
    set servercert "Fortinet_Factory"
    set algorithm medium
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set port 4443
    set source-interface "wan1"
    set source-address "all"
    set default-portal "full-access"
    config authentication-rule
        edit 1
            set groups "SSL_VPN_User_Group"
            set portal "full-access"
            set cipher any
        next
    end
end
 然后XP拨号就可以了:
SSL_VPN_13.png

SSL_VPN_14.png

FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 1 minutes.
FG100E4Q16003872 # diagnose debug  enable
[24423:root:1d]req: /remote/login
[24423:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24423:root:1d]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24424:root:1d]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1d]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1d]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1d]req: /remote/logincheck
[24424:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1d]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24424:root:1d]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24424:root:1d]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24424:root:1d]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm ().
[24424:root:1d]sslvpn_validate_user_group_list:1484 checking rule 1 cipher.
[24424:root:1d]sslvpn_validate_user_group_list:1492 checking rule 1 realm.
[24424:root:1d]sslvpn_validate_user_group_list:1503 checking rule 1 source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1542 checking rule 1 vd source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1614 rule 1 done, got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1702 got user (0), group (1:0).
[24424:root:1d]two factor check for user1: off
[24424:root:1d]sslvpn_authenticate_user:167 authenticate user: [user1]

[24424:root:1d]sslvpn_authenticate_user:174 create fam state
[24424:root:1d]fam_auth_send_req:577 with server blacklist:
[24424:root:1d]fam_auth_send_req_internal:449 fnbam_auth return: 0
[24424:root:1d]fam_auth_send_req_internal:455 authentication OK
[24424:root:1d]fam_do_cb:479 fnbamd return auth success.
[24424:root:1d]SSL VPN login matched rule (1).
[24424:root:1d]rmt_web_session_create:709 create web session, idx[0]
[24424:root:1d]login_succeeded:383 redirect to hostcheck
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1e]allocSSLConn:280 sconn 0x35ce4e00 (0:root)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1e]req: /
[24422:root:1e]mza: 0x12b74d4 /rmt_index.html
[24422:root:1e]def: 0x12b74d4 /rmt_index.html
[24423:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1e]req: /remote/index
[24423:root:1e]def: (nil) /remote/index
[24424:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1e]req: /remote/fortisslvpn
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]allocSSLConn:280 sconn 0x35ce5100 (0:root)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1f]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1f]req: /remote/fortisslvpn_xml
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]sslvpn_reserve_dynip:1143 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[24423:root:1f]allocSSLConn:280 sconn 0x35d28100 (0:root)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write session ticket (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1f]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[24423:root:1f]req: /remote/fortisslvpn_xml
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]allocSSLConn:280 sconn 0x35c77800 (0:root)
[24424:root:1f]DTLS established: DTLSv1 ECDHE-RSA-AES256-SHA from 192.168.91.126
[24424:root:1f]sslvpn_dtls_handle_client_data:651 got type clthello
[24424:root:1f]sslvpn_dtls_handle_client_data:661 got cookie: 7MShUOJ6QDpGmm0IpT18T2O7EaSKOhHN7ECzQEeVIwNnw/zbuRD1NTNqAmEQntupD1moCW9RXRJpb7AHHj7nMnOyT5P23kG3A6z5bkOqXlCy+JbqRqfH51rRLJNJO/ZDFilf47fXID95ELzjlfcXF+hCtPuWs80YmrzRvvyBXDCKa1PddCC8JNwnUyrZ9U1DLTI5lD8xxQw5gtnYlL4PiWSvpvEpsZZFXD1d1SFItu4hLasg26KLKzffLcHp4iQV
[24424:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]sconn 0x35c77800 (0:root) vfid=0 local=[202.100.1.25] remote=[192.168.91.126] dynamicip=[10.212.134.200]
[24424:root:1f]Prepare to launch ppp service ...
[24424:root:1f]tun: ppp 0x35e3f000 dev (ssl.root) opened fd 32

[24424:root:1f]Will add auth policy for policy 16 for user user1:SSL_VPN_User_Group
[24424:root:1f]Add auth logon for user user1:SSL_VPN_User_Group, matched group number 1
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: svrhello ok 192.168.91.126
[24423:root:1f]sslvpn_read_request_common,674, ret=-1 error=-1, sconn=0x35d28100.
[24423:root:1f]Destroy sconn 0x35d28100, connSize=2. (root)
[24424:root:0]RCV: LCP Configure_Request id(0) len(45) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU] [Multilink_Endpoint_Descriminator]
[24424:root:0]SND: LCP Configure_Request id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]lcp_reqci: returning CONFREJ.
[24424:root:0]SND: LCP Configure_Reject id(0) len(12) [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU]
[24424:root:0]RCV: LCP Configure_Ack id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]RCV: LCP Configure_Request id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_reqci: returning CONFACK.
[24424:root:0]SND: LCP Configure_Ack id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_up: with mtu 1354
[24424:root:0]SND: IPCP Configure_Request id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: CCP Configure_Request id(2) [Microsoft_PPC]
[24424:root:0]SND: LCP Protocol_Reject id(2) len(18)
[24424:root:0]RCV: IPCP Configure_Request id(3) [IP_Address 0.0.0.0] [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-REJ
[24424:root:0]SND: IPCP Configure_Reject id(3) [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]RCV: IPCP Configure_Ack id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: IPCP Configure_Request id(4) [IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-NAK
[24424:root:0]SND: IPCP Configure_Nak id(4) [IP_Address 10.212.134.200]
[24424:root:0]RCV: IPCP Configure_Request id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: returning Configure-ACK
[24424:root:0]SND: IPCP Configure_Ack id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: up ppp:0x35e3f000 caller:0x35c77800 tun:32
[24424:root:0]Cannot determine ethernet address for proxy ARP
[24424:root:0]local  IP address 202.100.1.25
[24424:root:0]remote IP address 10.212.134.200

[24424:root:1f]sslvpn_ppp_associate_fd_to_ipaddr:279 associate 10.212.134.200 to tun (ssl.root:32)
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: heartbeat  192.168.91.126
[24424:root:1d]Timeout for connection 0x35d27b00.
[24424:root:1d]Destroy sconn 0x35d27b00, connSize=2. (root)
[24424:root:1e]Timeout for connection 0x35d27e00.
<---完--->

Windows XP系统SSL VPN连接FortiGate新版本的注意事项

VPNkmliu 发表了文章 • 0 个评论 • 710 次浏览 • 2018-07-09 15:59 • 来自相关话题

XP 连接FOS 5.4/5.6/6.0版本的SSL VPN必失败,必须在XP和FGT分别进行相应的参数修改。
 
理论上来说官方新版本已经不再支持XP系统连接SSL VPN,V5.6以后的官方版本已经彻底去掉了SSL v3协议,因此如果FGT使用默认SSL VPN的配置,XP系统是没办法连接到SSL VPN的,但是如果由于业务原因一定要使用XP系统连接SSL VPN,那么需要从两方面修改设置才可以让XP成功连接到SSL VPN:
 XP方面的修改:
1.安装IE8-WindowsXP-x86-CHS.exe 浏览器 
IE8下载地址




 2.在浏览器“Internet选项”中开启TLS1.0协议




 FGT SSL VPN方面配置修改:
1.ssl vpn 下面开启TLS1.0协议(5.4.X中还可以开启SSL V3),并降低加密强度
2.在SSL VPN setting里面的config authentication-rule 将加密算法的长度调整为any长度,默认为大于等于168位
config vpn ssl settings
    set sslv3 enable             //默认disable,FOS 5.6之后彻底删除掉了ssl v3
    set tlsv1-0 enable       //默认disable
    set algorithm medium 或 set algorithm low // 默认为 HIGH,XP系统的加密强度最弱无法满足要求    config authentication-rule
        edit 1
            set groups "Guest-group"
            set portal "full-access"
            set cipher any       //默认为HIGH
        next
    end
end
 
 
 ---------------------------------------------------------------
----------------------------------------------------------------
完整的配置举例说明:
 
1.定义user和user-group,ssl vpn用户 资源的定义







2.新建内网网段IP地址对象,用于后续的SSL VPN隧道分割和策略调用




 
3.使用自带的full-access模板即可,开启隧道分割,选择内网网段IP地址对象,这就是内网资源的定义







 
4.配置SSL VPN的端口,关联ssl  vpn user-group资源和full-access内网资源







 
5.配置SSL  VPN的策略,注意源IP里面需要调用user-group,目的IP需要调用隧道分割网段,做一个用户组和资源组的相互关联



 
FortiGate的SSL VPN配置完毕,默认状态应该就是这样,这个时候会发现 WIN7 WIN10等下系统连接SSL VPN没有任何问题,但是XP系统则怎么样都无法连接上SSL VPN,具体有两种报错:
 
XP SSL VPN Client下载:
https://fortinet.egnyte.com/dl/sUFezSusMD 
 
FortiClient以及小SSL  VPN Client的 更多下载可以参考:
http://support.fortinet.com.cn/index.php?m=content&c=index&a=show&catid=65&id=448









 
报错1:  40%的时候报错




 
FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 19 minutes.

FG100E4Q16003872 # diagnose debug  enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24423:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24423:root:f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:f]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24423:root:f]SSL_accept failed, 5:(null)
[24423:root:f]Destroy sconn 0x35d6db00, connSize=0. (root)
[24424:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:fatal protocol version (192.168.91.126)  // ssl 协议不匹配
[24424:root:f]SSL state:error:(null)(192.168.91.126)
[24424:root:f]SSL_accept failed, 1:unsupported protocol  //不支持的ssl 协议
 
不支持的ssl协议
 
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 disable //默认TLS1.0 disable,XP的IE8只有TLS1.0,因此TLS1.0必须打开
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm high   //  XP没有太强的加密算法 DES-CBC3-SHA ,需要修改为medium 或 low
 
修改SSLVPN的配置:
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 enable
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm medium
 
报错2:48%的时候报错"没有权限-455"




 
FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 12 minutes.

FG100E4Q16003872 # diagnose debug  enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24422:root:1b]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1b]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24422:root:1b]SSL_accept failed, 5:(null)
[24422:root:1b]Destroy sconn 0x35ce4b00, connSize=0. (root)
[24423:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1b]req: /remote/info
[24424:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1b]req: /remote/login
[24424:root:1b]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1b]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24422:root:1c]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1c]req: /remote/logincheck
[24422:root:1c]rmt_web_auth_info_parser_common:439 no session id in auth info
[24422:root:1c]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24422:root:1c]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24422:root:1c]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24422:root:1c]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24422:root:1c]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm (). //报错authentication rules 1错误
[24422:root:1c]sslvpn_validate_user_group_list:1484 checking rule 1 cipher. //cipher不匹配
[24422:root:1c]sslvpn_validate_user_group_list:1702 got user (0), group (0:0).
[24422:root:1c]no valid user or group candidate found.
[24423:root:1c]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1c]req: /FortiClientSslvpnClearCacheUrl/for/Wini
[24423:root:1c]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t
 
修改SSL VPN的配置:
FG100E4Q16003872 # config vpn  ssl settings
FG100E4Q16003872 (settings) # config authentication-rule
FG100E4Q16003872 (authentication-rule) # edit 1
FG100E4Q16003872 (1) # show
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
    next
end
FG100E4Q16003872 (1) # show full-configuration
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
        set realm ''
        set client-cert disable
        set cipher high   //默认为HIGH 需要168位及以上的加密算法,但是XP的加密算法不符合要求
        set auth any
    next
end
FG100E4Q16003872 (1) # set cipher
any       Any cipher strength.
high      High cipher strength (>= 168 bits).
medium    Medium cipher strength (>= 128 bits).
FG100E4Q16003872 (1) # set cipher any   //修改为any,接收DES等低位数加密算法
FG100E4Q16003872 (1) # end
FG100E4Q16003872 (settings) # end
 
总结修改的配置:
 FG100E4Q16003872 # config vpn ssl settings
FG100E4Q16003872 (settings) # show
config vpn ssl settings
    set tlsv1-0 enable
    set servercert "Fortinet_Factory"
    set algorithm medium
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set port 4443
    set source-interface "wan1"
    set source-address "all"
    set default-portal "full-access"
    config authentication-rule
        edit 1
            set groups "SSL_VPN_User_Group"
            set portal "full-access"
            set cipher any
        next
    end
end
 然后XP拨号就可以了:








FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 1 minutes.
FG100E4Q16003872 # diagnose debug  enable
[24423:root:1d]req: /remote/login
[24423:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24423:root:1d]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24424:root:1d]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1d]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1d]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1d]req: /remote/logincheck
[24424:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1d]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24424:root:1d]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24424:root:1d]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24424:root:1d]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm ().
[24424:root:1d]sslvpn_validate_user_group_list:1484 checking rule 1 cipher.
[24424:root:1d]sslvpn_validate_user_group_list:1492 checking rule 1 realm.
[24424:root:1d]sslvpn_validate_user_group_list:1503 checking rule 1 source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1542 checking rule 1 vd source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1614 rule 1 done, got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1702 got user (0), group (1:0).
[24424:root:1d]two factor check for user1: off
[24424:root:1d]sslvpn_authenticate_user:167 authenticate user: [user1]
[24424:root:1d]sslvpn_authenticate_user:174 create fam state
[24424:root:1d]fam_auth_send_req:577 with server blacklist:
[24424:root:1d]fam_auth_send_req_internal:449 fnbam_auth return: 0
[24424:root:1d]fam_auth_send_req_internal:455 authentication OK
[24424:root:1d]fam_do_cb:479 fnbamd return auth success.
[24424:root:1d]SSL VPN login matched rule (1).
[24424:root:1d]rmt_web_session_create:709 create web session, idx[0]
[24424:root:1d]login_succeeded:383 redirect to hostcheck
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1e]allocSSLConn:280 sconn 0x35ce4e00 (0:root)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1e]req: /
[24422:root:1e]mza: 0x12b74d4 /rmt_index.html
[24422:root:1e]def: 0x12b74d4 /rmt_index.html
[24423:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1e]req: /remote/index
[24423:root:1e]def: (nil) /remote/index
[24424:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1e]req: /remote/fortisslvpn
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]allocSSLConn:280 sconn 0x35ce5100 (0:root)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1f]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1f]req: /remote/fortisslvpn_xml
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]sslvpn_reserve_dynip:1143 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[24423:root:1f]allocSSLConn:280 sconn 0x35d28100 (0:root)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write session ticket (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1f]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[24423:root:1f]req: /remote/fortisslvpn_xml
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]allocSSLConn:280 sconn 0x35c77800 (0:root)
[24424:root:1f]DTLS established: DTLSv1 ECDHE-RSA-AES256-SHA from 192.168.91.126
[24424:root:1f]sslvpn_dtls_handle_client_data:651 got type clthello
[24424:root:1f]sslvpn_dtls_handle_client_data:661 got cookie: 7MShUOJ6QDpGmm0IpT18T2O7EaSKOhHN7ECzQEeVIwNnw/zbuRD1NTNqAmEQntupD1moCW9RXRJpb7AHHj7nMnOyT5P23kG3A6z5bkOqXlCy+JbqRqfH51rRLJNJO/ZDFilf47fXID95ELzjlfcXF+hCtPuWs80YmrzRvvyBXDCKa1PddCC8JNwnUyrZ9U1DLTI5lD8xxQw5gtnYlL4PiWSvpvEpsZZFXD1d1SFItu4hLasg26KLKzffLcHp4iQV
[24424:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]sconn 0x35c77800 (0:root) vfid=0 local=[202.100.1.25] remote=[192.168.91.126] dynamicip=[10.212.134.200]
[24424:root:1f]Prepare to launch ppp service ...
[24424:root:1f]tun: ppp 0x35e3f000 dev (ssl.root) opened fd 32
[24424:root:1f]Will add auth policy for policy 16 for user user1:SSL_VPN_User_Group
[24424:root:1f]Add auth logon for user user1:SSL_VPN_User_Group, matched group number 1
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: svrhello ok 192.168.91.126
[24423:root:1f]sslvpn_read_request_common,674, ret=-1 error=-1, sconn=0x35d28100.
[24423:root:1f]Destroy sconn 0x35d28100, connSize=2. (root)
[24424:root:0]RCV: LCP Configure_Request id(0) len(45) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU] [Multilink_Endpoint_Descriminator]
[24424:root:0]SND: LCP Configure_Request id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]lcp_reqci: returning CONFREJ.
[24424:root:0]SND: LCP Configure_Reject id(0) len(12) [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU]
[24424:root:0]RCV: LCP Configure_Ack id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]RCV: LCP Configure_Request id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_reqci: returning CONFACK.
[24424:root:0]SND: LCP Configure_Ack id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_up: with mtu 1354
[24424:root:0]SND: IPCP Configure_Request id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: CCP Configure_Request id(2) [Microsoft_PPC]
[24424:root:0]SND: LCP Protocol_Reject id(2) len(18)
[24424:root:0]RCV: IPCP Configure_Request id(3) [IP_Address 0.0.0.0] [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-REJ
[24424:root:0]SND: IPCP Configure_Reject id(3) [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]RCV: IPCP Configure_Ack id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: IPCP Configure_Request id(4) [IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-NAK
[24424:root:0]SND: IPCP Configure_Nak id(4) [IP_Address 10.212.134.200]
[24424:root:0]RCV: IPCP Configure_Request id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: returning Configure-ACK
[24424:root:0]SND: IPCP Configure_Ack id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: up ppp:0x35e3f000 caller:0x35c77800 tun:32
[24424:root:0]Cannot determine ethernet address for proxy ARP
[24424:root:0]local  IP address 202.100.1.25
[24424:root:0]remote IP address 10.212.134.200
[24424:root:1f]sslvpn_ppp_associate_fd_to_ipaddr:279 associate 10.212.134.200 to tun (ssl.root:32)
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: heartbeat  192.168.91.126
[24424:root:1d]Timeout for connection 0x35d27b00.
[24424:root:1d]Destroy sconn 0x35d27b00, connSize=2. (root)
[24424:root:1e]Timeout for connection 0x35d27e00.
<---完---> 查看全部
XP 连接FOS 5.4/5.6/6.0版本的SSL VPN必失败,必须在XP和FGT分别进行相应的参数修改。
 
理论上来说官方新版本已经不再支持XP系统连接SSL VPN,V5.6以后的官方版本已经彻底去掉了SSL v3协议,因此如果FGT使用默认SSL VPN的配置,XP系统是没办法连接到SSL VPN的,但是如果由于业务原因一定要使用XP系统连接SSL VPN,那么需要从两方面修改设置才可以让XP成功连接到SSL VPN:
 XP方面的修改:
1.安装IE8-WindowsXP-x86-CHS.exe 浏览器 
IE8下载地址
XP1.png

 2.在浏览器“Internet选项”中开启TLS1.0协议
SSL_VPN_15.png

 FGT SSL VPN方面配置修改:
1.ssl vpn 下面开启TLS1.0协议(5.4.X中还可以开启SSL V3),并降低加密强度
2.在SSL VPN setting里面的config authentication-rule 将加密算法的长度调整为any长度,默认为大于等于168位
config vpn ssl settings
    set sslv3 enable             //默认disable,FOS 5.6之后彻底删除掉了ssl v3
    set tlsv1-0 enable       //默认disable
    set algorithm medium 或 set algorithm low // 默认为 HIGH,XP系统的加密强度最弱无法满足要求    config authentication-rule
        edit 1
            set groups "Guest-group"
            set portal "full-access"
            set cipher any       //默认为HIGH
        next
    end
end
 
 
 ---------------------------------------------------------------
----------------------------------------------------------------
完整的配置举例说明:
 
1.定义user和user-group,ssl vpn用户 资源的定义
SSL_VPN_11.png

SSL_VPN_22.png

2.新建内网网段IP地址对象,用于后续的SSL VPN隧道分割和策略调用
SSL_VPN_6.png

 
3.使用自带的full-access模板即可,开启隧道分割,选择内网网段IP地址对象,这就是内网资源的定义
SSL_VPN_1.png

SSL_VPN_2.png

 
4.配置SSL VPN的端口,关联ssl  vpn user-group资源和full-access内网资源
SSL_VPN_3.png

SSL_VPN_4.png

 
5.配置SSL  VPN的策略,注意源IP里面需要调用user-group,目的IP需要调用隧道分割网段,做一个用户组和资源组的相互关联
SSL_VPN_5.png

 
FortiGate的SSL VPN配置完毕,默认状态应该就是这样,这个时候会发现 WIN7 WIN10等下系统连接SSL VPN没有任何问题,但是XP系统则怎么样都无法连接上SSL VPN,具体有两种报错:
 
XP SSL VPN Client下载:
https://fortinet.egnyte.com/dl/sUFezSusMD 
 
FortiClient以及小SSL  VPN Client的 更多下载可以参考:
http://support.fortinet.com.cn/index.php?m=content&c=index&a=show&catid=65&id=448
SSL_VPN_7.png

SSL_VPN_8.png


 
报错1:  40%的时候报错
SSL_VPN_9.png

 
FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 19 minutes.

FG100E4Q16003872 # diagnose debug  enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24423:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24423:root:f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:f]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24423:root:f]SSL_accept failed, 5:(null)
[24423:root:f]Destroy sconn 0x35d6db00, connSize=0. (root)
[24424:root:f]allocSSLConn:280 sconn 0x35d6db00 (0:root)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:before SSL initialization (192.168.91.126)
[24424:root:f]SSL state:fatal protocol version (192.168.91.126)  // ssl 协议不匹配
[24424:root:f]SSL state:error:(null)(192.168.91.126)
[24424:root:f]SSL_accept failed, 1:unsupported protocol  //不支持的ssl 协议
 
不支持的ssl协议
 
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 disable //默认TLS1.0 disable,XP的IE8只有TLS1.0,因此TLS1.0必须打开
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm high   //  XP没有太强的加密算法 DES-CBC3-SHA ,需要修改为medium 或 low
 
修改SSLVPN的配置:
FG100E4Q16003872 (settings) # show full-configuration
config vpn ssl settings
    set reqclientcert disable
    set tlsv1-0 enable
    set tlsv1-1 enable
    set tlsv1-2 enable
    set algorithm medium
 
报错2:48%的时候报错"没有权限-455"
SSL_VPN_10.png

 
FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 12 minutes.

FG100E4Q16003872 # diagnose debug  enable

FG100E4Q16003872 #
FG100E4Q16003872 # [24422:root:1b]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1b]SSL state:before SSL initialization:DH lib(192.168.91.126)
[24422:root:1b]SSL_accept failed, 5:(null)
[24422:root:1b]Destroy sconn 0x35ce4b00, connSize=0. (root)
[24423:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1b]req: /remote/info
[24424:root:1b]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1b]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1b]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1b]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1b]req: /remote/login
[24424:root:1b]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1b]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24422:root:1c]allocSSLConn:280 sconn 0x35ce4b00 (0:root)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1c]req: /remote/logincheck
[24422:root:1c]rmt_web_auth_info_parser_common:439 no session id in auth info
[24422:root:1c]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24422:root:1c]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24422:root:1c]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24422:root:1c]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24422:root:1c]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm (). //报错authentication rules 1错误
[24422:root:1c]sslvpn_validate_user_group_list:1484 checking rule 1 cipher. //cipher不匹配
[24422:root:1c]sslvpn_validate_user_group_list:1702 got user (0), group (0:0).
[24422:root:1c]no valid user or group candidate found.
[24423:root:1c]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1c]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1c]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1c]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1c]req: /FortiClientSslvpnClearCacheUrl/for/Wini
[24423:root:1c]def: (nil) /FortiClientSslvpnClearCacheUrl/for/WininetLibrary/1/2/3/4/5/6/7/8/9/0/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t
 
修改SSL VPN的配置:
FG100E4Q16003872 # config vpn  ssl settings
FG100E4Q16003872 (settings) # config authentication-rule
FG100E4Q16003872 (authentication-rule) # edit 1
FG100E4Q16003872 (1) # show
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
    next
end
FG100E4Q16003872 (1) # show full-configuration
config authentication-rule
    edit 1
        set groups "SSL_VPN_User_Group"
        set portal "full-access"
        set realm ''
        set client-cert disable
        set cipher high   //默认为HIGH 需要168位及以上的加密算法,但是XP的加密算法不符合要求
        set auth any
    next
end
FG100E4Q16003872 (1) # set cipher
any       Any cipher strength.
high      High cipher strength (>= 168 bits).
medium    Medium cipher strength (>= 128 bits).
FG100E4Q16003872 (1) # set cipher any   //修改为any,接收DES等低位数加密算法
FG100E4Q16003872 (1) # end
FG100E4Q16003872 (settings) # end
 
总结修改的配置:
 FG100E4Q16003872 # config vpn ssl settings
FG100E4Q16003872 (settings) # show
config vpn ssl settings
    set tlsv1-0 enable
    set servercert "Fortinet_Factory"
    set algorithm medium
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set port 4443
    set source-interface "wan1"
    set source-address "all"
    set default-portal "full-access"
    config authentication-rule
        edit 1
            set groups "SSL_VPN_User_Group"
            set portal "full-access"
            set cipher any
        next
    end
end
 然后XP拨号就可以了:
SSL_VPN_13.png

SSL_VPN_14.png

FG100E4Q16003872 # diagnose debug  application sslvpn -1
Debug messages will be on for 1 minutes.
FG100E4Q16003872 # diagnose debug  enable
[24423:root:1d]req: /remote/login
[24423:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24423:root:1d]rmt_web_get_access_cache:756 invalid cache, ret=4103
[24424:root:1d]allocSSLConn:280 sconn 0x35d27b00 (0:root)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1d]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1d]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1d]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1d]req: /remote/logincheck
[24424:root:1d]rmt_web_auth_info_parser_common:439 no session id in auth info
[24424:root:1d]rmt_web_access_check:682 access failed, uri=[/remote/logincheck],ret=4103,
[24424:root:1d]rmt_logincheck_cb_handler:900 user 'user1' has a matched local entry.
[24424:root:1d]sslvpn_auth_check_usrgroup:1766 forming user/group list from policy.
[24424:root:1d]sslvpn_auth_check_usrgroup:1808 got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1436 validating with SSL VPN authentication rules (1), realm ().
[24424:root:1d]sslvpn_validate_user_group_list:1484 checking rule 1 cipher.
[24424:root:1d]sslvpn_validate_user_group_list:1492 checking rule 1 realm.
[24424:root:1d]sslvpn_validate_user_group_list:1503 checking rule 1 source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1542 checking rule 1 vd source intf.
[24424:root:1d]sslvpn_validate_user_group_list:1614 rule 1 done, got user (0) group (1:0).
[24424:root:1d]sslvpn_validate_user_group_list:1702 got user (0), group (1:0).
[24424:root:1d]two factor check for user1: off
[24424:root:1d]sslvpn_authenticate_user:167 authenticate user: [user1]

[24424:root:1d]sslvpn_authenticate_user:174 create fam state
[24424:root:1d]fam_auth_send_req:577 with server blacklist:
[24424:root:1d]fam_auth_send_req_internal:449 fnbam_auth return: 0
[24424:root:1d]fam_auth_send_req_internal:455 authentication OK
[24424:root:1d]fam_do_cb:479 fnbamd return auth success.
[24424:root:1d]SSL VPN login matched rule (1).
[24424:root:1d]rmt_web_session_create:709 create web session, idx[0]
[24424:root:1d]login_succeeded:383 redirect to hostcheck
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1d]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1e]allocSSLConn:280 sconn 0x35ce4e00 (0:root)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1e]req: /
[24422:root:1e]mza: 0x12b74d4 /rmt_index.html
[24422:root:1e]def: 0x12b74d4 /rmt_index.html
[24423:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24423:root:1e]req: /remote/index
[24423:root:1e]def: (nil) /remote/index
[24424:root:1e]allocSSLConn:280 sconn 0x35d27e00 (0:root)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:before SSL initialization (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24424:root:1e]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24424:root:1e]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24424:root:1e]SSL established: TLSv1 DES-CBC3-SHA
[24424:root:1e]req: /remote/fortisslvpn
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1e]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]allocSSLConn:280 sconn 0x35ce5100 (0:root)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24422:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24422:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24422:root:1f]SSL established: TLSv1 DES-CBC3-SHA
[24422:root:1f]req: /remote/fortisslvpn_xml
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24422:root:1f]sslvpn_reserve_dynip:1143 tunnel vd[root] ip[10.212.134.200] app session idx[0]
[24423:root:1f]allocSSLConn:280 sconn 0x35d28100 (0:root)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:before SSL initialization (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server hello (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write certificate (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done:system lib(192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write server done (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read client key exchange (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS read finished (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write session ticket (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write change cipher spec (192.168.91.126)
[24423:root:1f]SSL state:SSLv3/TLS write finished (192.168.91.126)
[24423:root:1f]SSL state:SSL negotiation finished successfully (192.168.91.126)
[24423:root:1f]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[24423:root:1f]req: /remote/fortisslvpn_xml
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24423:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]allocSSLConn:280 sconn 0x35c77800 (0:root)
[24424:root:1f]DTLS established: DTLSv1 ECDHE-RSA-AES256-SHA from 192.168.91.126
[24424:root:1f]sslvpn_dtls_handle_client_data:651 got type clthello
[24424:root:1f]sslvpn_dtls_handle_client_data:661 got cookie: 7MShUOJ6QDpGmm0IpT18T2O7EaSKOhHN7ECzQEeVIwNnw/zbuRD1NTNqAmEQntupD1moCW9RXRJpb7AHHj7nMnOyT5P23kG3A6z5bkOqXlCy+JbqRqfH51rRLJNJO/ZDFilf47fXID95ELzjlfcXF+hCtPuWs80YmrzRvvyBXDCKa1PddCC8JNwnUyrZ9U1DLTI5lD8xxQw5gtnYlL4PiWSvpvEpsZZFXD1d1SFItu4hLasg26KLKzffLcHp4iQV
[24424:root:1f]deconstruct_session_id:378 decode session id ok, user=[user1],group=[SSL_VPN_User_Group],authserver=,portal=[full-access],host=[192.168.91.126],realm=,idx=0,auth=1,sid=6dfbbca, login=1531127428, access=1531127428
[24424:root:1f]sconn 0x35c77800 (0:root) vfid=0 local=[202.100.1.25] remote=[192.168.91.126] dynamicip=[10.212.134.200]
[24424:root:1f]Prepare to launch ppp service ...
[24424:root:1f]tun: ppp 0x35e3f000 dev (ssl.root) opened fd 32

[24424:root:1f]Will add auth policy for policy 16 for user user1:SSL_VPN_User_Group
[24424:root:1f]Add auth logon for user user1:SSL_VPN_User_Group, matched group number 1
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: svrhello ok 192.168.91.126
[24423:root:1f]sslvpn_read_request_common,674, ret=-1 error=-1, sconn=0x35d28100.
[24423:root:1f]Destroy sconn 0x35d28100, connSize=2. (root)
[24424:root:0]RCV: LCP Configure_Request id(0) len(45) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU] [Multilink_Endpoint_Descriminator]
[24424:root:0]SND: LCP Configure_Request id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]lcp_reqci: returning CONFREJ.
[24424:root:0]SND: LCP Configure_Reject id(0) len(12) [Protocol_Field_Compression] [Address-and-Control-Field-Compression] [Multilink_MRRU]
[24424:root:0]RCV: LCP Configure_Ack id(1) len(10) [Magic_Number 7FF3F2C6]
[24424:root:0]RCV: LCP Configure_Request id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_reqci: returning CONFACK.
[24424:root:0]SND: LCP Configure_Ack id(1) len(37) [Maximum_Received_Unit 1354] [Magic_Number 24550F26] [Multilink_Endpoint_Descriminator]
[24424:root:0]lcp_up: with mtu 1354
[24424:root:0]SND: IPCP Configure_Request id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: CCP Configure_Request id(2) [Microsoft_PPC]
[24424:root:0]SND: LCP Protocol_Reject id(2) len(18)
[24424:root:0]RCV: IPCP Configure_Request id(3) [IP_Address 0.0.0.0] [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-REJ
[24424:root:0]SND: IPCP Configure_Reject id(3) [Primary_DNS_IP_Address 0.0.0.0] [Primary_WINS_IP_Address 0.0.0.0] [Seconday_DNS_IP_Address 0.0.0.0] [Seconday_WINS_IP_Address 0.0.0.0]
[24424:root:0]RCV: IPCP Configure_Ack id(1) [IP_Address 202.100.1.25]
[24424:root:0]RCV: IPCP Configure_Request id(4) [IP_Address 0.0.0.0]
[24424:root:0]ipcp: returning Configure-NAK
[24424:root:0]SND: IPCP Configure_Nak id(4) [IP_Address 10.212.134.200]
[24424:root:0]RCV: IPCP Configure_Request id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: returning Configure-ACK
[24424:root:0]SND: IPCP Configure_Ack id(5) [IP_Address 10.212.134.200]
[24424:root:0]ipcp: up ppp:0x35e3f000 caller:0x35c77800 tun:32
[24424:root:0]Cannot determine ethernet address for proxy ARP
[24424:root:0]local  IP address 202.100.1.25
[24424:root:0]remote IP address 10.212.134.200

[24424:root:1f]sslvpn_ppp_associate_fd_to_ipaddr:279 associate 10.212.134.200 to tun (ssl.root:32)
[24424:root:1f]sslvpn_send_ctrl_msg:925 0x35c77800 message: heartbeat  192.168.91.126
[24424:root:1d]Timeout for connection 0x35d27b00.
[24424:root:1d]Destroy sconn 0x35d27b00, connSize=2. (root)
[24424:root:1e]Timeout for connection 0x35d27e00.
<---完--->