Has anyone setup a mobile VPN profile that works with Chromebooks? I have one that works with both iOS and Android devices but Chromsbooks dont work with it or any tweaks that I make. I've googled around and can't seem to find anything beyond a suggestion by one person that perhaps XAUTH isn't supported but I can't imagine that to be true. ANy tales or success or failure?
-rd 2x 200D Clusters 1x 100D
1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
For What It's Worth (which may not be much), I think the Chromebook natively supports L2TP/IPsec VPN connections, which means you'll need:
1. An L2TP configuration on the FortiGate
2. A policy-based VPN
You would define a client IP pool and user group under 'config vpn l2tp'.
The policy-based VPN would take care of the IPsec leg of the connection.
The issue is, an L2TP authentication event is not an XAUTH logon. The two are separate and distinct. Since L2TP takes care of authentication, you would not be able to/are not required to define the user group a second time under the Phase 1 XAUTH settings.
Try setting up both items and see how it goes.
Regards, Chris McMullan Fortinet Ottawa
I setup the l2tp portion with no issue. No matter what values I enter in the GUI for creating a policy based IPSec VPN (after enabling it in the features part.. I totally blanked on that), I get "Input Invalid" or something to that effect.
I tried to create a phase 1 non-interface myself instead of useing the "create every time" option whcih seemed to make sense but nothing I created would show up. SOmething I"m doing in the policy is missing here. I'm on 5.2.3 if this is a known bug.
-rd 2x 200D Clusters 1x 100D
1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
I did actually et the policy thing figured out, but it required some really kludgy combinations of CLI and GUI.
I think what is happening now is a conflict between VPN profiles. Can you not have a pure IPSec VPN/route base interface dialup and a policy based L2TP on the same external interface?
-rd 2x 200D Clusters 1x 100D
1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
What symptoms are you seeing for the conflict? Are you not able to complete the configuration for one of the two tunnels, or else is one (or both) of them not coming up?
This command will help you:
diag debug reset
diag debug enable
diag debug application ike -1
<attempt to bring up the affected tunnel(s), then...>
diag debug reset
diag debug disable
Regards, Chris McMullan Fortinet Ottawa
When I do the debug, it never hits the tunnel that I created. It seems to skip past the policy baesd VPN and move right on to the IPSec VPN that was there before for iPhones. This is even after I moved the policy for the VPN above the policies for the other mobile/dialup.
-rd 2x 200D Clusters 1x 100D
1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
Qs:
Care to share the profile that you built? ( the cfg on fortigate )
Does any other l2tp client works against that policy ( windoze, macosx, android,etc.....)
What does your ike debug show?
What cipher(s) do you have enabled in the vpn phase1 cfg?
What cipher(s) do you have enabled in the vpn phase2 cfg?
What peer-id do you have if any ?
Are you failing xauth ? ( once again the debug will show this )
Are you failing in ciphers and dhgrp ? ( once again the debug will show this )
Are you failing PSK ( assuming your using PSK ) ? ( once again the debug will show this )
Are you using a cert if so can you change to a PSK to rule any crt issues ?
PCNSE
NSE
StrongSwan
I think from Rain Man memory that the IPsec policy-based tunnel needs to be configured in transport mode, according to the most recent round of documentation on how to create L2TP/IPsec tunnels on the FortiGate.
Could you share the Phase 1 settings for the Chromebook tunnel?
Regards, Chris McMullan Fortinet Ottawa
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.