Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cmoro
New Contributor

FortiClient SSL VPN - DTLS only with SHA1

Hello,

 

due to performance issues and higher latency, I wanted to enable DTLS for FortiClient SSL VPN. Although I have configured everything as required, a VPN tunnel via UDP/443 was not established.

 

Then I have found out a root of the problem. When DTLS is enabled in the FortiClient EMS profile, FortiClient offers cipher suits (all with SHA1) which are not allowed on Fortigate. For that reason is the session terminated.

When I remove SHA as a banned-cipher, see below: config vpn ssl settings

set tlsv1-0 disable set tlsv1-1 disable set tlsv1-2 enable set dtls-tunnel enable

set banned-cipher DH CAMELLIA 3DES STATIC Then a TLS and subsequently a DTLS session are being established with the following cipher suits: [319:FortiClient:ecc]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 [310:FortiClient:ecf]DTLS established: DTLSv1 ECDHE-RSA-AES256-SHA

 

As we do not want to enable SHA1, is there any way how to push FCT to use SHA2 even for DTLS?

 

Enviroment

FCT 6.0.8, Windows 10

FGT 6.0.5

EMS 6.0.8

 

Thank you for any hint.

 

Regards,

Jozef

3 REPLIES 3
emnoc
Esteemed Contributor III

I see this exact behavior also, did you open a ticket and are you on the latest fortiOS version(s0?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
cmoro
New Contributor

Yes, I have opened a ticket and waiting for feedback from the tac engineer.

FortiClient runs on the latest 6.0.8 version.

emnoc
Esteemed Contributor III

Good , I believe the forticlient version plays a major issue at hand also. I realize I wrote tidbit about  DTLS and FC and the support is getting much better.

 

http://socpuppet.blogspot.com/2017/09/dtls-forticlient-fortios-v54.html

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Top Kudoed Authors