FortiClient 5.6.2 IPsec-VPN with certificate authentication

Question

Hi!

We are trying to configure FortiClient to VPN to our Fortigate with certficate authentication.

We deploy Forticlient Profiles with a trial Version of EMS 1.2.2

The configuration of the Fortigate seems to be ok. IPSec-VPN with preshared key works and IPsec-VPN with certificate authentication using a certificate in the user-store works also, if I manually create the vpn on the FortiClient.

But if I deploy a VPN in the FortiClient-Profile created in EMS, the VPN connection failes with the following error in FortiClient.log:

22.11.2017 17:42:55 Fehlersuche VPN AuthDaemon. CSP_AND_CERTNAME 22.11.2017 17:42:55 Fehlersuche VPN AuthDaemon:Certificate was not loaded. 22.11.2017 17:42:55 Fehlersuche VPN authentication finished 22.11.2017 17:42:55 Fehlersuche VPN pki_get_mycert() return mycert null !!!! 22.11.2017 17:42:55 Information VPN ike_cfg_gw_init failed check the vpn gateway configuraiton

If I edit the xml and add <prompt_certificate>1 and choose the user cert the vpn connects also.

So it seems like the deployed vpn is not able to auto-select the right certificate.

"use windows store certificates" and "current user windows store certicates" ist enabled.

Any ideas?

Boris

Georg_P · Answer

hello,

i had the same problem yesterday and found a solution for that.

1) on the client manually configure the vpn profile and export the working config (xml file).

2) open the xml file and search for the vpn config (<ipsecvpn> ...). Under the <ike_settings> section of the manually configured profile you should find an <auth_data> section. It should look like that:

<auth_data> <certificate> <common_name> <match_type> <![CDATA[simple]]> </match_type> <pattern> <![CDATA[computer1.example.com]]> </pattern> </common_name> <issuer> <match_type> <![CDATA[simple]]> </match_type> <pattern> <![CDATA[ISSUING-CA]]> </pattern> </issuer> </certificate> </auth_data>

We have an ad certificate authority which issue machine certficates to the clients. In this section the client certificate (common name: computer1.example.com), which is used for authentication and the issuing ca name (issuer: ISSUING-CA) is specified. The <match_type>: simple means the pattern must match exactly. There are three different match types:

[ul]

simple

wildcard

regex[/ul]

You can find a bit more info in the xml reference guide on page 23:

https://docs.fortinet.com...nt-5.6.2-xml-reference

3) So if you want to create a generic VPN profile for your clients, you have to edit the auth_data section to something like that and insert it in the profile in ems under XML Configuration on the right place:

<auth_data> <certificate> <common_name> <match_type> <![CDATA[wildcard]]> </match_type> <pattern> <![CDATA[*.example.com]]> </pattern> </common_name> <issuer> <match_type> <![CDATA[simple]]> </match_type> <pattern> <![CDATA[ISSUING-CA]]> </pattern> </issuer> </certificate> </auth_data>

The match type wildcard means you specify an * in the common name so *.example.com matches to:

[ul]

computer1.example.com

computer2.example.com

abc.example.com[/ul]

and save the config. First i tried regex but i wasn´t able to get a working profile.

When you save the config it looks like that, don´t worry about that:

<auth_data> <certificate> <common_name> <match_type>wildcard</match_type> <pattern><![CDATA[*.example.com]]></pattern> </common_name> <issuer> <match_type>simple</match_type> <pattern>ISSUING-CA</pattern> </issuer> </certificate> </auth_data>

4) look if the profile is publish to your clients by exporting the config on the client and looking into it for the auth section.

I have to remove the profile and reassign it to get it correctly published to the client.

hope this helps you :)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded