Unable to connect via mobile user vpn ssl
I try to connect from an external computer to the firebox of my company with the watchguard mobile vpn via ssl.
When I am at my office, I am able to connect using the firebox ip address and the port used for the vpn example 192.168.0.254:442 and the username / pass .
But when I try to connect outside of the office using the ip adress of the company, the port and the credential of the user. It is impossible to connect.
Here is the log :
2020-03-11T20:21:34.294 Launching WatchGuard Mobile VPN with SSL client. Version 12.5.2 (Build 606431) Built:Nov 4 2019 13:40:17
2020-03-11T20:22:24.904 Requesting client configuration from 74.57.205.56:442
2020-03-11T20:22:29.936 VERSION file is 5.33, client version is 5.33
2020-03-11T20:22:30.436 LaunchOpenVPN: openvpn full command-line(first 8 chars): "C:\Prog, length: 248
2020-03-11T20:22:30.436 LaunchOpenVPN: vpn config full path(first 8 chars): C:\Users, length: 53
2020-03-11T20:22:30.967 OVPN:>HOLD:Waiting for hold release:0
2020-03-11T20:22:31.045 OVPN:>LOG:1583972550,D,MANAGEMENT: CMD ''
2020-03-11T20:22:31.045 OVPN:>LOG:1583972550,D,MANAGEMENT: CMD 'hold release'
2020-03-11T20:22:31.045 OVPN:SUCCESS: hold release succeeded
2020-03-11T20:22:31.045 OVPN:>PASSWORD:Need 'Auth' username/password
2020-03-11T20:22:31.123 OVPN:>LOG:1583972551,D,MANAGEMENT: CMD 'username "Auth" "Pierre"'
2020-03-11T20:22:31.123 OVPN:SUCCESS: 'Auth' username entered, but not yet verified
2020-03-11T20:22:31.123 OVPN:>LOG:1583972551,D,MANAGEMENT: CMD 'password [...]'
2020-03-11T20:22:31.123 OVPN:SUCCESS: 'Auth' password entered, but not yet verified
2020-03-11T20:22:31.123 OVPN:>LOG:1583972551,I,TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.254:442
2020-03-11T20:22:31.123 OVPN:>LOG:1583972551,,Socket Buffers: R=[65536->65536] S=[65536->65536]
2020-03-11T20:22:31.123 OVPN:>LOG:1583972551,I,Attempting to establish TCP connection with [AF_INET]192.168.0.254:442 [nonblock]
2020-03-11T20:22:31.123 OVPN:>LOG:1583972551,,MANAGEMENT: >STATE:1583972551,TCP_CONNECT,,,,,,
2020-03-11T20:22:31.123 OVPN:>STATE:1583972551,TCP_CONNECT,,,,,,
What is the problem??
Answers
Hi @Seb1978
192.168.0.254 is the internal IP of your firewall -- you'll need the external IP of your firewall to connect to it externally.
When you're in the office, try going to a site like ipchicken.com, and see what address you get back. That will be your external IP.
-James Carson
WatchGuard Customer Support
This is what I did with whatismyipaddress.com and it gave me 74.57.205.56.
The address I am using, like you can see at the start of the log.
It is also the address that I see next to the eth0: external 74.57.205.56 (DHCP) on the watchguard system manager.
1) consider opening a support incident on this t get help from a WG rep.
Select SUPPORT CENTER above, sign in (if needed) and then Create New Case.
2) You can turn on diagnostic logging for SSLVPN which may show something to help in Traffic Monitor:
In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> SSL
In the Web UI: System -> Diagnostic Log
Set the slider to Information or higher
A WG support rep will probably want to see these too.
Also, I suppose that something could be blocking TCP port 442.
The next log message should be -
TCP connection established
Traffic Monitor diag logs may well help here.
The good news is that your SSLVPN web login page comes up on the 74.57.205.56 IP and port 442. Test logging into that first.
Gregg Hill
Hi @Seb1978
The VPN client is probably getting that internal IP from somewhere.
If you go to
(in WebUI) VPN -> Mobile VPN, Click on Mobilr VPN with SSL -> Configure.
(In Policy Manager) VPN -> Mobile VPN -> SSL
Under Firebox IP address, please make sure whatever IP you're connecting to externally is entered here. If 74.57.205.56 isn't here, please put it here, save, then try again.
Thakn you,
-James Carson
WatchGuard Customer Support
I can access the login page at https://74.57.205.56:442
A support incident or diagnostic logging is next
Regarding "In Policy Manager) VPN -> Mobile VPN -> SSL
Under Firebox IP address, please make sure whatever IP you're connecting to externally is entered here" comment, the SSLVPN actually does work with completely bogus domain names entered there. For testing, I set mine to "vpn.completelybogusdomain.net" and the backup to "sparky.nowheredomain.com" and then used my WAN IP to connect to the SSLVPN. Of course, it pops up a certificate warning window, but goes ahead and connects if that windows is approved.
I was curious, so I tested.
Gregg Hill
V12.5.3 is just out today with this fix:
. The Mobile VPN with SSL client can now connect to the Firebox backup IP address when the primary IP address is unavailable. [FBX-16284]