Hello,
due to performance issues and higher latency, I wanted to enable DTLS for FortiClient SSL VPN. Although I have configured everything as required, a VPN tunnel via UDP/443 was not established.
Then I have found out a root of the problem. When DTLS is enabled in the FortiClient EMS profile, FortiClient offers cipher suits (all with SHA1) which are not allowed on Fortigate. For that reason is the session terminated.
When I remove SHA as a banned-cipher, see below: config vpn ssl settings
set tlsv1-0 disable set tlsv1-1 disable set tlsv1-2 enable set dtls-tunnel enable
set banned-cipher DH CAMELLIA 3DES STATIC Then a TLS and subsequently a DTLS session are being established with the following cipher suits: [319:FortiClient:ecc]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 [310:FortiClient:ecf]DTLS established: DTLSv1 ECDHE-RSA-AES256-SHA
As we do not want to enable SHA1, is there any way how to push FCT to use SHA2 even for DTLS?
Enviroment
FCT 6.0.8, Windows 10
FGT 6.0.5
EMS 6.0.8
Thank you for any hint.
Regards,
Jozef
I see this exact behavior also, did you open a ticket and are you on the latest fortiOS version(s0?
Ken Felix
PCNSE
NSE
StrongSwan
Yes, I have opened a ticket and waiting for feedback from the tac engineer.
FortiClient runs on the latest 6.0.8 version.
Good , I believe the forticlient version plays a major issue at hand also. I realize I wrote tidbit about DTLS and FC and the support is getting much better.
http://socpuppet.blogspot.com/2017/09/dtls-forticlient-fortios-v54.html
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.