FORTIGATE = 900D
FortiOS = v5.4.5
FortiClient = v5.6.0
OS = windows10
1st,
DTLS is only support in the windows FortiClient versions ( sorry.... no support for macosx !)
2nd,
you need 5.4.x code or higher to enable DTLS on the fortigate
3rd,
you must enable the DTLS preferred in the client xml ( download the cfg and edit the highlight light to a value of 1 }
4th
Ensure you have access to udp port. In this example I'm using my macosx host to check that udp.port 443 is available & via gnutls-cli ( use the -u switch for udp )
The mode of operation is very simple,
The FortiClient talks tcp over the designated port and then switched to udp if the client prefers udp.
Keep in mind that going thru a http-forward-proxy might break the renegotiation to udp , but if the DTLS setup fails, the Client will fallback to just tcp.port 443
Here's a dump of traffic showing a windows std and 1200 byte pings
Here's snippet of a wndows10 forticlient exported logs.
One cool thing you can do. You can run a diagnostic session from the cli and see the client > Be advise the SSLVPN session is terminate to a "pseudo firewall policy# "
valid firewall policies numbers are 1 thru 4294967294This is where the ciscoASA has a advantage, the cisco ASA has support DTLS for over 5+ years with webvpn.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment