Technical Tip: Unable to establish a connection for an agentless user when using Quantum Cryptography
| Description | This article explains the process for troubleshooting VPN issues when using an agentless client. |
| Scope | FortiOS. |
| Solution | A browser-based Agentless VPN user can unable to connect to VPN Gateway while using PQC then following step can be followed.
Step 1: Check whether any legacy keys, such as SHA-1 or SHA-256, are still configured. If they are, they should be deprecated or removed. Next, select and enable a supported Post-Quantum Cryptography (PQC) algorithm to ensure compatibility with quantum-resistant encryption standards.
FortiGate (settings) (test)# show config vpn ssl settings set banned-cipher SHA1 <----- Could block tradition key. set tls-groups ? P-521 P-521 P-384 P-384 P-256 P-256 ML-KEM512 ML-KEM512 ML-KEM768 ML-KEM768 ML-KEM1024 ML-KEM1024 P-384-MLKEM1024 P-384-MLKEM1024 P-256-MLKEM768 P-256-MLKEM768 X25519-MLKEM768 X25519-MLKEM768 X448 X448 X25519 X25519 FFDHE2048 FFDHE2048 FFDHE3072 FFDHE3072 FFDHE4096 FFDHE4096 FFDHE6144 FFDHE6144 FFDHE8192 FFDHE8192
Step 2: The supported cipher groups depend on the browser settings. Chrome supports the following groups, which can be verified through the browser’s developer tools. If the browser is using a different key group, update the configuration on the FortiGate accordingly. This can also be validated by analyzing a packet capture in Wireshark.
X25519MLKEM768 (0x11ec) x25519 (0x001d) secp256r1 (0x0017) secp384r1 (0x0018)
|
