Technical Tip: Configuring dial-up IPsec VPN using signature, and EAP, and OTP for authentication
| Description | This article describes dial-up IPsec configuration using multi-factor authentication that includes certificate, username/password as well as OTP authentication methods. |
| Scope | This scenario depicts configuring FortiGate as VPN Server for terminating dial-up IPsec. FortiAuthenticator acting as Radius server, CA Server as well as providing FortiToken. FortiToken Mobile and FortiClient on a Windows 11 Client machine. Note: Microsoft Active Directory will be used as LDAP Server.
Hostnames:
Configuration steps:
|
| Solution | Configuring Certificates on the FortiAuthenticator:
Generating and exporting a CA Certificate: In this step, a local CA will be created on the FortiAuthenticator to be used to generate and sign digital certificate for the VPN gateway (the FortiGate) and the end user in the next steps.
Certificate Management -> Certificate Authorities -> Local CAs.
For the CN of the root CA, use the FQDN of the FortiAuthenticator found in System -> Dashboard -> Status; under the System Information widget, Device FQDN. In this example, its IP address is used as the Device FQDN.
Then export the root CA certificate to import it into FortiGate and the Windows client. For this, select the CA just created, and then select the 'Export Certificate' as shown below:
The certificate will be downloaded with a '.crt' extension:
Generating and exporting the user certificate for the FortiGate:
Generate and sign a certificate for the FortiGate following the steps below:
Navigate to Certificate Management -> End Entities -> Users -> Create New.
Then select and export the certificate which will be imported on the FortiGate: Certificate Management -> End Entities -> Users -> Select the certificate generated for the FortiGate, and then select the ‘Export Key and Cert’:
Enter a passphrase to protect the certificate file and select the Save button:
Next, download the PKCS#12 file to import it on the FortiGate in the next step:
Generating and exporting a user certificate for the end user:
Following similar steps, generate and sign a certificate for the end userunder Certificate Management -> End Entities -> Users -> Create New.
Note: In the ‘Subject Alternative Name field, enter the username in the ‘User Principal Name’ format the same as Active Directory. Select the user certificate and select the ‘Export Key and Cert’ to download the PKCS#12 file:
Enter a passphrase and select the Save button, then download the PKCS#12 file and select Finish:
Import CA and User certificates on FortiGate: Next, import the CA certificate on the FortiGate: System -> Certificates -> Create/Import -> CA Certificate.
On the Import page, select File and browse and upload the 10.26.51.18.cer file:
It will be imported as shown below:
Next, import the user certificate generated for the FortiGate: System -> Certificates -> Create/Import -> Certificate.
After, select the Import Certificate button:
On the 'Import' page select the 'PKCS#12 Certificate', locate the file downloaded in previous step (fgt80ipsec.p12), enter the passphrase, and select Create:
Verify the certificate under the System -> Certificates page:
Import CA and user certificates on the user machine:
To import and install the certificates on the Client machine, copy the certificate files on the PC:
First, install the CA certificate by double Selecting on the file and then select 'Install Certificate…':
Select the Trusted Root Certificate Authorities as the Certificate Store:
Select Finish:
To install User Certificate, double-click the file:
Enter the passphrase entered when exporting the certificate:
Select 'Personal' as the Certificate Store:
Then select Finish. Configuring Authentication Services on the FortiAuthenticator: First make sure that RADIUS services are enabled under the Network -> Interfaces -> Access Rights -> Services:
Define the FortiGate as a RADIUS client: Authentication -> RADIUS Service -> Clients:
Enter a name for the Client, IP address, and RADIUS secret, then select Save:
Create an LDAP server as the remote authentication serverunder Authentication -> Remote Auth. Servers -> Create New.
Fill in the form as shown in the picture below:
Note: Enabling 'Windows Active Directory Domain Authentication' will join the FortiAuthenticator to the domain. Select Save.
Create a realm for the LDAP user authentication: Authentication -> User Management -> Realm -> Create New.
Enter a name, select the LDAP that was created in the previous step, and select Save.
Create a policy for the RADIUS service: Authentication -> RADIUS service -> Policies:
Enter a name for the policy, select the RADIUS client, and select Next:
Default settings are on the next page, select Next:
Select 'Password/OTP authentication', enable Accept EAP and WAP-MSCHAPv2, and select Next:
Select and enable the settings as shown below and select Next.
Note: In the Realm column, select the Realm that was created in the previous step:
Select Next.
Select Next. Select Update and Exit:
Configuring FortiToken on the FortiAuthenticator: Check the links below for details on how to activate license and assign FortiToken Mobile to users:
After the activation code is entered and the settings are saved, verify the new Token like below:
Follow the steps below to Import or Sync remote users on the LDAP server:
Go to Authentication -> User Management -> Remote Users.
Select Import:
Select the remote LDAP server created before and select Import.
Verify the users created on the LDAP:
When creating the LDAP server, the 'Internal Users' group as the Base distinguished name for this example, so all the users under this group now imported to the FortiAuthenticator 'Remote Users':
Note: To automatically sync with the LDAP and update the Users, create a 'Remote User Sync Rule' as follows: Authentication -> User Management -> Remote User Sync Rules.
Select LDAP and Create New:
Select 'Test Filter', and test the LDAP connection and the Base DN:
Note: For the FortiToken to work properly, the FortiToken Mobile on the Client machine should be able to reach the FortiAuthenticator Public IP/FQDN. Verify and check the setting under the System -> Administrtion -> System Access:
Configuring the FortiGate for the dial-up VPN.
config system interface edit ‘lan’ set vdom ‘root’ set ip 10.26.2.108 255.255.192.0 set allowaccess ping https ssh snmp http telnet fgfm set type hard-switch set stp enable set role lan set snmp-index 21 next edit ‘LDAPCert’ set vdom ‘root’ set type tunnel set snmp-index 31 set interface ‘wan1’ end config user group edit ‘LDAPCertUsers’ set member ‘ldapcertuser’ next edit ‘RADGroup’ set member ‘FACRAD’ next config user peergrp edit ‘grp-ldap-cert’ set member ‘ldapcertuser’ next end config user radius edit ‘FACRAD’ set server ‘10.26.21.58’ set secret ENC … next end config vpn ipsec phase1-interface edit ‘LDAPCert’ set type dynamic set interface ‘wan1’ set ike-version 2 set authmethod signature set peertype peergrp set net-device disable set mode-cfg enable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set negotiate-timeout 60 set dpd on-idle set eap enable set eap-identity send-request set eap-cert-auth enable set wizard-type dialup-forticlient set authusrgrp ‘RADGroup’ set certificate ‘fgt80ipsec’ set peergrp ‘grp-ldap-cert’ set ipv4-start-ip 10.113.113.2 set ipv4-end-ip 10.113.113.10 set dns-mode auto set ipv4-split-include ‘CertVPN_split’ set dpd-retryinterval 60 next end config vpn ipsec phase2-interface edit ‘LDAPCert’ set phase1name ‘LDAPCert’ set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end config firewall address edit ‘CertVPN_range’ set uuid cdd241ce-f2d3-51f0-8668-be078baaf409 set type iprange set comment ‘VPN: CertVPN (Created by VPN wizard)’ set start-ip 10.113.113.2 set end-ip 10.113.113.10 next end config firewall policy edit 5 set name ‘VPN-Policy’ set uuid 1f21830a-05bc-51f1-4462-e7b263635815 set srcintf ‘LDAPCert’ set dstintf ‘lan’ set action accept set srcaddr ‘CertVPN_range’ set dstaddr ‘LAB1’ set schedule ‘always’ set service ‘ALL’ set logtraffic all set nat enable next
Configuring dial-up IPsec VPN on the FortiClient.
Verification: Select Connect on the FortiClient VPN Connection:
Enter user credentials:
Enter the token code:
On the FortiGate:
FGT80E-2 (root) # get vpn ipsec tunnel summary 'LDAPCert_0' 10.5.149.167:57661 selectors(total,up): 1/1 rx(pkt,err): 1/0 tx(pkt,err): 0/0 FGT80E-2 (root) # diagnose vpn tunnel list name LDAPCert list ipsec tunnel by names in vd 0 ------------------------------------------------------ name=LDAPCert ver=2 serial=1 10.5.130.108:0->0.0.0.0:0 nexthop= tun_id=10.0.0.1 tun_id6=::10.0.0.1 status=up dst_mtu=0 weight=1 bound_if=5 real_if=0 lgwy=static/1 tun=intf mode=dialup/2 encap=none/552 options[0228]=npu frag-rfc role=primary accept_traffic=1 overlay_id=0
proxyid_num=0 child_num=1 refcnt=4 ilast=4563207 olast=4563207 ad=/0 stat: rxp=44067 txp=11 rxb=3294040 txb=952 dpd: mode=on-idle on=-1 status=ok idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 fec: egress=0 ingress=0
To find more details regarding dial-up VPN, see the following:
|