New Member

Question

Remote access SSL VPN with Cisco Anyconnect on Fortigate

Forum|Forum|3 years ago
March 22, 2023
4 replies
20318 views

Hi, I am a beginner who just started my journey with Fortigate. I am using Cisco ASA which is configured with remote access SSL VPN and users connect to VPN through Cisco AnyConnect client.

I am implementing FortiGate in the lab environment. I want to find out if it is possible to use Cisco AnyConnect client with FortiGate in SSL VPN?

If you happen to know any documentation or video tutorial related to configuration please share.

FortiGate

gfleming

Staff

SSL VPN technology is often proprietary and does not work across vendors and clients.

IPSec VPN, however is open standard and you can use AnyConnect to initiate an IPSec tunnel to FortiGate.

Or, use the free FortiClient VPN for SSL VPN to the FortiGate. NO reason you can't have both installed on your PC.

per_fiksit

New Member

Does anybody know if this works? To VPN into FortiGate with Cisco AnyConnect VPN client, using IPSec?

gfleming

Staff

IPsec is an open standard. So any standards-compliant IPSec VPN client will be able to connect to the FortiGate IPSec remote access VPN.

mrfelipe

New Member

Has anyone managed to put together a configuration that works for FortiOS 7.x and Anyconnect 4.x?

mle2802

Staff

Hi @mrfelipe,

SSL VPN is not supposed to work with AnyConnect. You can either use SSL VPN web mode or tunnel mode with FortiClient. If you wish to use AnyConnect, you can configure Ipsec on FortiGate for this.

Regards,
Minh

mrfelipe

New Member

I understand that SSLVPN is work only Forticlient, but in this case i tried to setup an ipsec vpn with anyconnect but i can't connect, on Forti side error is: ike V=root:0:d81232e7c2e796be/0000000000000000:383336: unexpected payload type 47

mle2802

Staff

Hi @mrfelipe,

From Cisco forum, look like cipher is not supported on both side. Can you try to use sha256 or sha1 on both side and make sure both p1 and 2 is matching. Also try to use main mode v1 for the tunnel.

Regards,
Minh.

mrfelipe

New Member

Could you show me an anyconnect.xml i can't find the option to set preshared key.

test.xml:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreLinux>All</CertificateStoreLinux>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>30</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="true">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="false">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>test1</HostName>
<HostAddress>vpn.company.com</HostAddress>
<UserGroup>SSL-VPN-FAC</UserGroup>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>false</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>

FG config:

config vpn ipsec phase1-interface
edit "test1"
set type dynamic
set interface "port17"
set mode aggressive
set peertype one
set net-device disable
set mode-cfg enable
set proposal aes256-sha256 aes256-md5 aes256-sha1
set dhgrp 19
set wizard-type dialup-cisco
set xauthtype auto
set authusrgrp "SSL-VPN-FAC"
set peerid "valami"
set ipv4-start-ip 10.36.132.101
set ipv4-end-ip 10.36.132.121
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include "test1_split"
set psksecret ENC *
next
end

config vpn ipsec phase2-interface
edit "test1"
set phase1name "test1"
set proposal aes256-sha256 aes256-md5 aes256-sha1
set pfs disable
set keepalive enable
next
end

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded