FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
mmontes
Staff
Staff
Article Id 197921

Description


This article describes all needed configuration and how to create the certificates using openSSL to setup dial-up IPsec VPN users with security certificates like an authentication method.

 

Scope

 

Download the openSSL software. In this case, it was downloaded in a Windows PC.
Generate in the openSSL the CA certificate (crt) with the commands below:

 

C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out ca.key 4096
C:\OpenSSL-Win64\bin>openssl req -new -x509 -days 365 -key ca.key -out ca.crt

 

Generate Server Certificate. Create a CSR in the FortiGate and download it to be signed through the openSSL software using following command:

 

C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ipsecdialup.crt

 

Generate client certificate through the following list of commands:

 

C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out client.key 4096
C:\OpenSSL-Win64\bin>openssl req -new -key client.key -out client.csr
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
C:\OpenSSL-Win64\bin>openssl pkcs12 -export -in client.crt -inkeyclient.key -certfile ca.crt -name "test" -out client.p12

 

Note:

After entered command "openssl.exe req ...", it might show error "No such file or directory" in the console, we can fix it by input command: 

set OPENSSL_CONF=[path-to-OpenSSL-install-dir]\bin\openssl.cnf

For example:

 

Screenshot.png


Solution


Import the CA certificate and Server Certificate to the FortiGate:
Go to System -> Certificates -> Import -> Local Certificate and select server certificate.
Go to System -> Certificates -> Import -> CA Certificate and select CA certificate.

Configure user peer and peergrp:

 

config user peer
edit test1
set ca ""                 <----- specify the CA certificate already uploaded.
end

config user peergrp
edit user_group1
set member test1
end

Set up IPSEC VPN diaulp:

 

IKEv1:
Check, if needed, to enable NAT traversal. In this case, it is not required.

 

IPSEC VPN 1.PNG
 
Specify the server certificate and peergrp as follows:
 
IPSEC VPN 2.PNG
 
At last, specify the user group for XAUTH:
 
 IPSEC VPN 3.PNG
 
IKEv2:
 
1.png
 
2.png

 

Import the CA certificate and client certificate (.p12 format including private key) to the user side. After that, verify the import in MMC > Certificate (current user):
  • The CA certificate should be presented on Trusted Root Certification Authorities -> Certificates.
  • The user certificate should be presented on Personal -> Certificate.

 

Screenshot3.png

At last, select the authentication method in the FortiClient to X.509 certificate to use the client certificate already previously uploaded.
For example:
 
3.png

As a result, it could connect successfully:
 
Screenshot4.png

 

Verification:

Once all described above is finished, attempt connection from FortiClient to FortiGate and open the following debug flow into FortiGate to see all IPsec negotiation:
 
diagnose debug disable
diagnose debug reset
diagnose debug console time en#diag debug app ike -1
diagnose vpn ike log filter rem-add4 <WAN_IP_of_client>
diagnose debug enable
 
After connection, test the debug to be disabled with the commands below:
 
diagnose debug reset
diagnose debug disable