PKI Auth problem

lucadome · ‎03-15-2021

Hi,

I created two different PKI users in a Fortigate 60E firewall. Both users are in the same group.

I want to connect to the LAN using Forticlient VPN 6.0 with a SSL-VPN tunnel.

The first user connects correctly.

The second one gives me an error (attached #1).

emnoc · ‎03-15-2021

The error is clear, you can't reach the vpn-server?

Do any of the following

diag debug reset

diag debug enable

diag debug app sslvpnd -1

( have the user start. the client, does he/she make it to the fortigate? Does debug show the user ? )

or

diag sniffer packet <interface name > 'host x.x.x.x "

Where x.x.x.x is the user having problems. Do you see his/her ipv4 address making it to the fortigate sslvpn ip?

is the certificate good? not expired ? user has access to the certificate and key ? Is the CERT signed by the expected CA that you have in the peer-group ?

You have a lot of diagnostics to do from the customer end of things.

Ken Felix

PCNSE

NSE

StrongSwan

lucadome · ‎03-19-2021

I solved it!

I eventually realized that when creating user certificate, its common name must be equal to firewall PKI user subject.

When I did this, everything started working fine.

lucadome · ‎03-19-2021

Please consider the following log trace that I receive when trying to connect with not-functional user:

https://drive.google.com/file/d/1Z5N3NtbDQ5Ef0bqzbn-kujqtGWy2J6Q8/view?usp=sharing