due to performance issues and higher latency, I wanted to enable DTLS for FortiClient SSL VPN. Although I have configured everything as required, a VPN tunnel via UDP/443 was not established.
Then I have found out a root of the problem. When DTLS is enabled in the FortiClient EMS profile, FortiClient offers cipher suits (all with SHA1) which are not allowed on Fortigate. For that reason is the session terminated.
When I remove SHA as a banned-cipher, see below:
config vpn ssl settings
set tlsv1-0 disable
set tlsv1-1 disable
set tlsv1-2 enable
set dtls-tunnel enable
set banned-cipher DH CAMELLIA 3DES STATIC
Then a TLS and subsequently a DTLS session are being established with the following cipher suits:
[319:FortiClient:ecc]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
[310:FortiClient:ecf]DTLS established: DTLSv1 ECDHE-RSA-AES256-SHA
As we do not want to enable SHA1, is there any way how to push FCT to use SHA2 even for DTLS?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.