Hi All,
I finally have to add support for dialup VPN to our two locations, which already have a stable IPsec VPN connection with static IPs. Although initially I'll only need a single dialup user, by next year I'll have multiple users with different access rights. I'm looking for some pointers on how to proceed before I go too far down the wrong path.
Current equipment versions:
FortiGates 5.4.6
FortiAuthenticator 5.1.2
FortiClient 5.4.4 or 5.6.2 VPN client only (or other VPN client)
I would like to set up the dialup VPN to use certificate authentication for the connection, then require a username, password, and two-factor (FortiToken) authentication. Though I'd prefer to do IPsec VPN, this could be SSL VPN if needed. I can use FortiClient as the VPN client if needed, though I'm open to other possible clients (especially if they support IKEv2).
The user auth with passwords and FortiTokens can be done as part of a RADIUS group handled by the FAC, or (since we're small) by the FortiGate itself.
My questions and concerns are because I have not been able to find any full example of how to do this, though separate pieces are mentioned in many different places. Some of what I've researched is below.
So, any suggestions? Anybody have something similar set up?
Comments after cookbook article below imply this might be possible, but a solution wasn't found.
http://cookbook.fortinet.com/ssl-vpn-with-certificate-authentication/
Documentation example has the PKI being the only authentication used. http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-authentication-54/Certificates.htm#Co... Discussion implies this is possible with LDAP RADIUS, but I'm unsure how to translate this to FAC. https://forum.fortinet.com/tm.aspx?m=151607
SSL VPN example uses RADIUS but without certificate. http://cookbook.fortinet.com/ssl-vpn-radius-authentication/ https://travelingpacket.com/2016/01/26/fortigate-radius-group-authentication/
Thanks!
I would do it in micro-steps
1: enable certificae 1st and work thru any issues
2: than enable the MFA part which cookbooks exist for both
PCNSE
NSE
StrongSwan
Small steps is the plan.
I was hoping, though, that someone could say that they've successfully made these steps and gotten the combined VPN w/ certs + MFA to work first! Especially since the comments from the first link above says that even working with a Fortinet Partner they weren't able to get it working.
If anybody can recommend using the VPN client from FortiClient 5.6.2 or 5.4.4 (on Windows 10) that would also be helpful.
I would go with the latest , as far as doing it. Numerous others have setup certifcate with SSLVPN and forticlient.
Fortitoken activate is trivial and should not need that much explanations.
PCNSE
NSE
StrongSwan
I wasted a bit of time seeing how this might work with Fortigate 5.4.6 IPsec VPN and FortiClient 5.6.2. Got past phase1 with certificates checked both directions, got matching phase2 proposals accepted, but FortiClient just wouldn't accept IPs from the FortiGate. Not with DHCP over IPsec (with dhcp-ipsec enabled in p2), nor with Mode Config. Couldn't even get it to work specifying the IPs myself in FortiClient. Only way I could make it work was to set the IP statically in FortiClients nic adaptor, which isn't a usable option. Oh, and for some reason IPsec FortiClient adds its route with a larger distance than the default, so the new route can never get hit anyway. Maybe I should just try a different IPsec client.
Tried it with SSL VPN (non-standard port) and it worked immediately. Route was added properly with a smaller distance. Got it up and working with server and client certs, initially requiring a password on the PKI for the client cert, then changed it to still require an approved client cert for connection but to only allow users from a group of two-factor (FortiToken) users. All well and good.
One question, though, regarding Fortinet's SSL VPN implementation. We have two separate wan interfaces for two ISPs, each with multiple static IPs, that are members of a wan zone. Though I only want to allow SSL VPN users to connect to one of the secondary IPs of one ISP, it appears that I can't specify something that granular. Using the GUI, I can only specify listening on the wan zone. I don't see an easy way of limiting this in the ssl settings from the CLI. I did check that this actually allows me to use one of the other IPs to login -- not good.
I've restricted this for now with local-in-policy, blocking the non-standard SSL port for all but my desired IP.
My question: Is there a better way to do this in 5.4.x or 5.6.x?
The only other solution I've seen mentioned was to use a VIP, but I'm not sure how that would work. Maybe have FortiGate's SSL listen on a dummy internal interface that the VIP maps to from a public IP?
Thanks for your thoughts on this, and happy Friday.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1742 | |
1113 | |
759 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.