- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPSec VPN accepts any peer certificate when specif...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec VPN accepts any peer certificate when specific certificate given
Hi All,
Setting up IPSec VPN (IKEv2) between two 5.4.1 FortiGates. Works fine with PSK (after working around GUI bug that saves wrong IP if you use named addresses for the VPN).
When I changed over to using certificates I found the tunnels went up just fine, but the peer certificate wasn't getting verified as I would have expected. Meaning, I could (and did) list a non-existent peer certificate name of GARBAGE_T with or without cn and subject set, and the tunnel would still go up with no complaints. Not exactly secure.
Both devices have their peer certificates signed by my local CA root vpn ca certificate.
Both devices have imported the root vpn ca cert.
Both devices have the private version of their own cert (signed by the root vpn ca cert).
Both devices have the public version of the other devices cert (signed by the root vpn ca cert).
The phase1 settings on both sides specify that they authenticate with a signature and list their own certificate by name.
The phase1 settings on both sides specify IKEv2 and that they accept only a peer certificate, with the peer certificate name referring (I believe) not to the certificate, but to the name of the peer that refers to the cert (config user peer). As mentioned above, I can change the user peer here to be a dummy peer referring to a non-existent certificate and the tunnel still goes up. Scary.
Any ideas on what's going on here? I'm really hoping this is some simple mistake on my part.
Labels:
- Labels:
-
5.4
- « Previous
-
- 1
- 2
- Next »
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just ran through the same tests with 5.4.4. Same results.
I still see that, with IPSec authentication, using IKEv2, when authenticating by certificate the CN and subject specified *that the peer should match to be valid* are ignored completely. Thus I can't require the peer to have a specific certificate, CN, or subject, even though the dialog implies these will be required.
Note that the authentication does fail if the CA certificate referenced in the Peer Options, Peer Certificate, PKI object (which holds the CN and subject that are supposed to be verified) is different than the CA that signed the cert provided by the peer. My current workaround to use multiple CA certs which have each signed a non-CA cert to be used for the auth sort of works around this, albeit in a painfully convoluted way.
Now that I'm on a current version of FortiOS I can create a ticket to report this as a bug.
Unless someone else has already reported this? Please let me know if you've already reported this (and can give us a bug number) so we don't duplicate tickets.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I created an ticket but didnt got an response yet.
But it can't be bad if you do the same ;)
NSE 4/5/7
NSE 4/5/7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's give it a couple days. Please let us know what you hear in response to your ticket. If you don't get anywhere with it I can create a new ticket.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@bommi,
Did you get any response to your ticket?
If not I'll open another ticket, as I've got a simple case to reproduce the problem but will be re-configuring the IPSec VPN rsn.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, I've created a support ticket regarding this.
BTW, I did some further testing by setting the PKI (user peer) mandatory-ca-verify disable. With this set and the subject and cn set to garbage, or to any other certs, the IPSec VPN still authenticates the connection if the PKI's ca is correct -- not good. To repeat this: It is verifying *ONLY* off the ca, ignoring the subject, ignoring the cn, and ignoring the fact that mandatory-ca-verify field is set to disable.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While waiting for support to research this I did some quick tests with
set subject "CN = MY_CERT_CN" Setting it to a CN for a remote cert (public key) that exists on the FGT but is not the correct cert still connected with no errors. I flushed the vpn (diag vpn ike gateway flush) but still got the same results. I also tried it with the user peer cn set to nothing or set to the incorrect cert's CN (one that wasn't signed by the ca listed). Still connected with no errors. AFAIK the vpn auth should have failed in both cases.
Maybe I'm not flushing/resetting the vpn correctly, so my tests aren't valid?
I've been running "diag vpn ike gateway flush".
Should I instead be running the full vpn reset as below?
diag vpn tunnel flush diag vpn tunnel reset
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you checked it with the latest version 5.4.5? Is this issue still present there? Thanks!
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Limited Network 130 Views
- Course and certification of fortinet nse4 201 Views
- sd-wan issue 96 Views
- free vpn client certificate problems 201 Views
- Issues with activating proxy mode in... 88 Views
Labels
-
FortiGate
6,542 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
Customer Service
70 -
FortiToken
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiAuthenticator
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiGate v5.0
11 -
Interface
11 -
Logging
11 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
SSL SSH inspection
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
Schedule
1 -
4.0MR1
1 -
SDN connector
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
FortiManager-VM
1 -
Zone
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.