- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate IPSec VPN using device certificate
Hi,
I'm trying to configure our Fortigate v7.4 to provide dialup IPSec VPN to FortiClient on Windows. The VPN works fine with user certificate but if I want to use computer certificate instead, or enable VPN before login, the VPN failed. I tried to give user access to the certificate key of the machine certificate without success.
Any advices are much appreciated.
Here is an abstract of the FG config:
config vpn ipsec phase1-interface
edit "Staff VPN"
set type dynamic
set interface "portn"
set ike-version 2
set authmethod signature
set peertype peergrp
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 x.x.x.x
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305- prfsha256
set localid "StaffVPN"
set comments "VPN: Staff VPN (Created by VPN wizard)"
set ems-sn-check enable
set certificate "xxx.localhost"
set peergrp "pki-ldap"
set ipv4-start-ip x.x.x.x
set ipv4-end-ip x.x.x.x
set ipv4-split-include "Staff VPN_split"
next
end
config user peergrp
edit "pki-ldap"
set member "Staff VPN_peer" "Computer VPN_peer"
next
end
config user peer
edit "Staff VPN_peer"
set ca "CA_Cert_1"
set cn-type email
set mfa-mode subject-identity
set mfa-server "LDAP_SRV"
next
edit "Computer VPN_peer"
set ca "CA_Cert_1"
set cn-type FQDN
set mfa-mode subject-identity
set mfa-server "LDAP_SRV"
next
end
And here is the FortiClient config:
<ipsecvpn>
<options>
<use_win_current_user_cert>0</use_win_current_user_cert>
<show_auth_cert_only>1</show_auth_cert_only>
<check_for_cert_private_key>0</check_for_cert_private_key>
<beep_if_error>0</beep_if_error>
<enable_udp_checksum>0</enable_udp_checksum>
<no_dns_registration>2</no_dns_registration>
<usewincert>1</usewincert>
<uselocalcert>0</uselocalcert>
<usesmcardcert>1</usesmcardcert>
<enhanced_key_usage_mandatory>1</enhanced_key_usage_mandatory>
<enabled>1</enabled>
<disable_default_route>0</disable_default_route>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<block_ipv6>1</block_ipv6>
<disallow_invalid_server_certificate>1</disallow_invalid_server_certificate>
</options>
<connections>
<connection>
<name>Staff IPSEC</name>
<uid>xxxxxxxx</uid>
<machine>1</machine>
<keep_running>1</keep_running>
<disclaimer_msg/>
<single_user_mode>0</single_user_mode>
<type>manual</type>
<ui>
<show_remember_password>0</show_remember_password>
<show_alwaysup>0</show_alwaysup>
<show_autoconnect>0</show_autoconnect>
<show_passcode>0</show_passcode>
<save_username>0</save_username>
</ui>
<redundant_sort_method>0</redundant_sort_method>
<tags>
<allowed/>
<prohibited/>
</tags>
<host_check_fail_warning/>
<ike_settings>
<server>fg.hostname.local</server>
<authentication_method>System Store X509 Certificate</authentication_method>
<fgt>1</fgt>
<prompt_certificate>0</prompt_certificate>
<xauth>
<use_otp>0</use_otp>
<enabled>0</enabled>
<prompt_username>0</prompt_username>
<username/>
</xauth>
<version>2</version>
<mode>aggressive</mode>
<key_life>86400</key_life>
<localid/>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>0</implied_SPDO_timeout>
<nat_traversal>1</nat_traversal>
<enable_local_lan>1</enable_local_lan>
<enable_ike_fragmentation>1</enable_ike_fragmentation>
<mode_config>1</mode_config>
<dpd>1</dpd>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<run_fcauth_system>1</run_fcauth_system>
<nat_alive_freq>5</nat_alive_freq>
<sso_enabled>0</sso_enabled>
<networkid>0</networkid>
<use_external_browser>0</use_external_browser>
<transport_mode>2</transport_mode>
<tcp_port>443</tcp_port>
<udp_port>500</udp_port>
<ike_saml_port>0</ike_saml_port>
<dhgroup>5</dhgroup>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
<auth_data/>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
<addr>172.16.0.0</addr>
<mask>255.255.0.0</mask>
</network>
<network>
<addr>n.n.0.0</addr>
<mask>n.n.0.0</mask>
</network>
<network>
<addr>n.n.n.n</addr>
<mask>n.n.0.0</mask>
</network>
</remote_networks>
<dhgroup>5</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>43200</key_life_seconds>
<key_life_Kbytes>5200</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<use_vip>1</use_vip>
<virtualip>
<type>modeconfig</type>
<ip>0.0.0.0</ip>
<mask>0.0.0.0</mask>
<dnsserver>0.0.0.0</dnsserver>
<winserver>0.0.0.0</winserver>
</virtualip>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ipsec_settings>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<android_cert_path/>
</connection>
</connections>
</ipsecvpn>
Solved! Go to Solution.
- Labels:
-
Certificate
-
FortiGate
-
IPsec
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I found the issue was with my PKI peer config and the LDAP server associated with it. If the peer is only with our Enterprise PKI CA, it will accept any devices, users that have a valid certificate issued by this CA.
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I found the issue was with my PKI peer config and the LDAP server associated with it. If the peer is only with our Enterprise PKI CA, it will accept any devices, users that have a valid certificate issued by this CA.
Thanks,
