Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 5 subscribers
  • Views 1662 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN from DMZ - hostname DNS resolution

admin888

I have the following setup:
WAN > DSL router > DMZ > UTM > Internal network

I have configured an SSL VPN connection with the hostname: vpn.contoso.com (with a public DNS entry pointing to my static public IP). This works as intended from the WAN.
However, we also have several people connecting from the DMZ via wifi. I want their requests to go directly to the UTM (not outside and back in). What is the best practice for this? I've tried copying the ovpn Profile and changing the hostname to the DMZ IP of the UTM. It actually connects but shortly after disconnects with an authentication failure, I'm guessing the UTM wants the configured hostname? Here's the log:

12:14:31 Attempting to establish TCP connection with [AF_INET]192.168.0.2:444 [nonblock]
12:14:31 MANAGEMENT: >STATE:1570788871,TCP_CONNECT,,,,,,
12:14:32 TCP connection established with [AF_INET]192.168.0.2:444
12:14:32 TCPv4_CLIENT link local: [undef]
12:14:32 TCPv4_CLIENT link remote: [AF_INET]192.168.0.2:444
12:14:32 MANAGEMENT: >STATE:1570788872,WAIT,,,,,,
12:14:32 MANAGEMENT: >STATE:1570788872,AUTH,,,,,,
12:14:32 TLS: Initial packet from [AF_INET]192.168.0.2:444, sid=3ecfd9f4 f1a7ff05
12:14:32 VERIFY OK: ---(removed)---
12:14:32 VERIFY X509NAME OK: ---(removed)---
12:14:32 VERIFY OK: depth=0, ---(removed)---
12:14:32 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
12:14:32 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
12:14:32 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
12:14:32 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
12:14:32 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
12:14:32 [utm] Peer Connection Initiated with [AF_INET]192.168.0.2:444
12:14:33 MANAGEMENT: >STATE:1570788873,GET_CONFIG,,,,,,
12:14:34 SENT CONTROL [utm]: 'PUSH_REQUEST' (status=1)
12:14:34 AUTH: Received control message: AUTH_FAILED
12:14:34 SIGUSR1[soft,auth-failure] received, process restarting
12:14:34 MANAGEMENT: >STATE:1570788874,RECONNECTING,auth-failure,,,,,
12:14:34 Restart pause, 5 second(s)
12:14:52 MANAGEMENT: Client disconnected
12:14:52 ERROR: could not read Auth username/password/ok/string from management interface
12:14:52 Exiting due to fatal error
12:14:52 Assertion failed at misc.c:779
12:14:52 Exiting due to fatal error

(my initial idea was adding a DNS entry on my DSL router and do split DNS, but it doesn't seem to be for internal requests).



This thread was automatically locked due to age.
Unfiltered HTML