L2TP/IPsec-with-certificate Windows10 native client

Guenther · ‎03-13-2024

As the FortiGate IPsec Wizard didn't led to success, we're trying to setup a certificate based dialup vpn by-hand.

ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: incoming proposal:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: proposal id = 0:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: protocol id = ISAKMP:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: trans_id = KEY_IKE.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: encapsulation = IKE/none
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_HASH_ALG, val=SHA.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=AUTH_METHOD, val=RSA_SIG.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_GROUP, val=ECP384.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: ISAKMP SA lifetime=28800
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: proposal id = 0:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: protocol id = ISAKMP:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: trans_id = KEY_IKE.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: encapsulation = IKE/none
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_HASH_ALG, val=SHA.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=AUTH_METHOD, val=RSA_SIG.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_GROUP, val=ECP256.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: ISAKMP SA lifetime=28800
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: proposal id = 0:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: protocol id = ISAKMP:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: trans_id = KEY_IKE.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: encapsulation = IKE/none
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_HASH_ALG, val=SHA.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=AUTH_METHOD, val=RSA_SIG.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_GROUP, val=MODP2048.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: ISAKMP SA lifetime=28800
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: proposal id = 0:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: protocol id = ISAKMP:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: trans_id = KEY_IKE.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: encapsulation = IKE/none
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_HASH_ALG, val=SHA.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=AUTH_METHOD, val=RSA_SIG.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_GROUP, val=MODP2048.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: ISAKMP SA lifetime=28800
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: proposal id = 0:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: protocol id = ISAKMP:
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: trans_id = KEY_IKE.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: encapsulation = IKE/none
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_HASH_ALG, val=SHA.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=AUTH_METHOD, val=RSA_SIG.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: type=OAKLEY_GROUP, val=MODP1024.
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: ISAKMP SA lifetime=28800
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: negotiation failure
ike V=root:Negotiate ISAKMP SA Error: 
ike V=root:0:8fbd6f6bf97a7a15/0000000000000000:873: no SA proposal chosen

When interpreting the proposals received, we tried to implement them through the following settings:

Algorithms : 3DES-SHA1, AES256-SHA1
Diffie-Hellman Group : 14

which has led to the expected proposal from the side of the FortiGate (as follows):

ike V=root:0:24279aec99b82985/0000000000000000:879: my proposal, gw IPsecW10_OUVW:
ike V=root:0:24279aec99b82985/0000000000000000:879: proposal id = 1:
ike V=root:0:24279aec99b82985/0000000000000000:879: protocol id = ISAKMP:
ike V=root:0:24279aec99b82985/0000000000000000:879: trans_id = KEY_IKE.
ike V=root:0:24279aec99b82985/0000000000000000:879: encapsulation = IKE/none
ike V=root:0:24279aec99b82985/0000000000000000:879: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike V=root:0:24279aec99b82985/0000000000000000:879: type=OAKLEY_HASH_ALG, val=SHA.
ike V=root:0:24279aec99b82985/0000000000000000:879: type=AUTH_METHOD, val=RSA_SIG.
ike V=root:0:24279aec99b82985/0000000000000000:879: type=OAKLEY_GROUP, val=MODP2048.
ike V=root:0:24279aec99b82985/0000000000000000:879: ISAKMP SA lifetime=28800
ike V=root:0:24279aec99b82985/0000000000000000:879: proposal id = 1:
ike V=root:0:24279aec99b82985/0000000000000000:879: protocol id = ISAKMP:
ike V=root:0:24279aec99b82985/0000000000000000:879: trans_id = KEY_IKE.
ike V=root:0:24279aec99b82985/0000000000000000:879: encapsulation = IKE/none
ike V=root:0:24279aec99b82985/0000000000000000:879: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike V=root:0:24279aec99b82985/0000000000000000:879: type=OAKLEY_HASH_ALG, val=SHA.
ike V=root:0:24279aec99b82985/0000000000000000:879: type=AUTH_METHOD, val=RSA_SIG.
ike V=root:0:24279aec99b82985/0000000000000000:879: type=OAKLEY_GROUP, val=MODP2048.
ike V=root:0:24279aec99b82985/0000000000000000:879: ISAKMP SA lifetime=28800

Perhaps we have overlooked some details but we have expected a SA match - and not a negotiation failure.

Does anyone have got a working solution for Windows10/certificate-with-user-and-password or give us a hint, why the fortigate refuses to accept the proposal?

hbac · ‎03-13-2024

Hi @Guenther,

Are you trying to connect from FortiClient? Can you try with only AES256-SHA1 on the client side?

Regards,

Guenther · ‎03-13-2024

Hi @hbac ,

to keep it simple, we tried to propose installing software in case of BYOD - therefore, we haven't tried the FortiClient (was works well at least on MacOS). On the client side there are no more parameters selectable.

Best regards!

L2TP/IPsec-with-certificate Windows10 native client

Nominate a Forum Post for Knowledge Article Creation