Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rwdorman
New Contributor III

Chromebook VPN Profile

Has anyone setup a mobile VPN profile that works with Chromebooks?  I have one that works with both iOS and Android devices but Chromsbooks dont work with it or any tweaks that I make.  I've googled around and can't seem to find anything beyond a suggestion by one person that perhaps XAUTH isn't supported but I can't imagine that to be true.  ANy tales or success or failure?

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
7 REPLIES 7
Christopher_McMullan

For What It's Worth (which may not be much), I think the Chromebook natively supports L2TP/IPsec VPN connections, which means you'll need:

1. An L2TP configuration on the FortiGate

2. A policy-based VPN

 

You would define a client IP pool and user group under 'config vpn l2tp'.

 

The policy-based VPN would take care of the IPsec leg of the connection.

 

The issue is, an L2TP authentication event is not an XAUTH logon. The two are separate and distinct. Since L2TP takes care of authentication, you would not be able to/are not required to define the user group a second time under the Phase 1 XAUTH settings.

 

Try setting up both items and see how it goes.

Regards, Chris McMullan Fortinet Ottawa

rwdorman
New Contributor III

I setup the l2tp portion with no issue.  No matter what values I enter in the GUI for creating a policy based IPSec VPN (after enabling it in the features part.. I totally blanked on that), I get "Input Invalid" or something to that effect.

 

I tried to create a phase 1 non-interface myself instead of useing the "create every time" option whcih seemed to make sense but nothing I created would show up.  SOmething I"m doing in the policy is missing here.  I'm on 5.2.3 if this is a known bug.

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
rwdorman
New Contributor III

I did actually et the policy thing figured out, but it required some really kludgy combinations of CLI and GUI.

 

I think what is happening now is a conflict between VPN profiles.  Can you not have a pure IPSec VPN/route base interface dialup and a policy based L2TP on the same external interface?

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
Christopher_McMullan

What symptoms are you seeing for the conflict? Are you not able to complete the configuration for one of the two tunnels, or else is one (or both) of them not coming up?

 

This command will help you:

diag debug reset

diag debug enable

diag debug application ike -1

<attempt to bring up the affected tunnel(s), then...>

diag debug reset

diag debug disable

Regards, Chris McMullan Fortinet Ottawa

rwdorman
New Contributor III

When I do the debug, it never hits the tunnel that I created.  It seems to skip past the policy baesd VPN and move right on to the IPSec VPN that was there before for iPhones.  This is even after I moved the policy for the VPN above the policies for the other mobile/dialup.

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
emnoc
Esteemed Contributor III

Qs:

 

Care to share the profile that you built?  ( the cfg on fortigate )

 

Does any other l2tp client works against that policy ( windoze, macosx, android,etc.....)

 

What does your ike debug show?

 

What cipher(s) do you have enabled in the vpn phase1 cfg?

 

What cipher(s) do you have enabled in the vpn phase2 cfg?

 

What peer-id do you have if any ?

 

Are you failing xauth ? ( once again the debug will show this )

 

Are you failing in  ciphers and dhgrp ? ( once again the debug will show this )

 

Are you failing PSK ( assuming your using PSK ) ? ( once again the debug will show this )

 

Are you using a cert if so can you change to a PSK to rule any crt issues  ?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Christopher_McMullan

I think from Rain Man memory that the IPsec policy-based tunnel needs to be configured in transport mode, according to the most recent round of documentation on how to create L2TP/IPsec tunnels on the FortiGate.

 

Could you share the Phase 1 settings for the Chromebook tunnel?

Regards, Chris McMullan Fortinet Ottawa

Labels
Top Kudoed Authors