Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor II

Per-machine prelogon VPN connection without user interaction, not working

I am following the below document. The machine account that I specify does not connect to the VPN automatically. If I manually enter the machine username and password during vpn pre login, the VPN will connect.

https://docs.fortinet.com/document/forticlient/7.2.1/ems-administration-guide/854899/per-machine-pre... 

Debugs on the fortigate show a good username, password, and machine certificate.

 

 

 

<?xml version="1.0" ?>
<forticlient_configuration>
    <vpn>
        <enabled>1</enabled>
        <sslvpn>
            <options>
                <prefer_sslvpn_dns>1</prefer_sslvpn_dns>
                <dnscache_service_control>0</dnscache_service_control>
                <enabled>1</enabled>
                <warn_invalid_server_certificate>1</warn_invalid_server_certificate>
                <no_dns_registration>0</no_dns_registration>
                <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
            </options>
            <connections>
                <connection>
                    <name>ZTNA-GW</name>
                    <uid>09480723-9C2E-431C-B00A-C51642FC98A2</uid>
                    <machine>1</machine>
                    <keep_running>1</keep_running>
                    <username>REMOVED EMS USER</username>
                    <password>Enc REMOVED_EMS_USER_PASSWORD</password>
                    <prompt_certificate>1</prompt_certificate>
                    <prompt_username>1</prompt_username>
                    <fgt>1</fgt>
                    <is_fgd_cloud>0</is_fgd_cloud>
                    <disclaimer_msg/>
                    <sso_enabled>0</sso_enabled>
                    <keep_fqdn_resolution_consistency>0</keep_fqdn_resolution_consistency>
                    <use_external_browser>0</use_external_browser>
                    <azure_auto_login>
                        <enabled>0</enabled>
                        <azure_app>
                            <tenant_name/>
                            <client_id/>
                        </azure_app>
                    </azure_auto_login>
                    <single_user_mode>0</single_user_mode>
                    <ui>
                        <show_remember_password>1</show_remember_password>
                        <show_alwaysup>0</show_alwaysup>
                        <show_autoconnect>1</show_autoconnect>
                        <save_username>0</save_username>
                    </ui>
                    <warn_invalid_server_certificate>1</warn_invalid_server_certificate>
                    <allow_standard_user_use_system_cert>0</allow_standard_user_use_system_cert>
                    <redundant_sort_method>0</redundant_sort_method>
                    <RedundantSortMethod>0</RedundantSortMethod>
                    <tags>
                        <allowed/>
                        <prohibited/>
                    </tags>
                    <host_check_fail_warning/>
                    <android_cert_path/>
                    <server>ztna-gw.domain.com:11443</server>
                    <on_connect>
                        <script>
                            <os>windows</os>
                            <script/>
                        </script>
                    </on_connect>
                    <on_disconnect>
                        <script>
                            <os>windows</os>
                            <script/>
                        </script>
                    </on_disconnect>
                    <traffic_control>
                        <enabled>0</enabled>
                        <mode>1</mode>
                    </traffic_control>
                    <certificate>
                        <issuer>
                            <match_type>simple</match_type>
                            <pattern>REMOVED ISSUER PATTERN</pattern>
                        </issuer>
                        <common_name>
                            <match_type>wildcard</match_type>
                            <pattern>REMOVED COMMON NAME</pattern>
                        </common_name>
                    </certificate>
                </connection>
            </connections>
        </sslvpn>
        <ipsecvpn>
            <options>
                <block_ipv6>1</block_ipv6>
                <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
                <use_win_local_computer_cert>1</use_win_local_computer_cert>
                <enabled>0</enabled>
                <disable_default_route>0</disable_default_route>
                <uselocalcert>0</uselocalcert>
                <use_win_current_user_cert>1</use_win_current_user_cert>
                <usewincert>1</usewincert>
                <no_dns_registration>0</no_dns_registration>
                <usesmcardcert>1</usesmcardcert>
                <enable_udp_checksum>0</enable_udp_checksum>
                <beep_if_error>0</beep_if_error>
                <show_auth_cert_only>0</show_auth_cert_only>
                <check_for_cert_private_key>0</check_for_cert_private_key>
            </options>
            <connections/>
        </ipsecvpn>
        <lockdown>
            <enabled>0</enabled>
            <grace_period>120</grace_period>
            <max_attempts>3</max_attempts>
            <exceptions>
                <apps/>
                <ips/>
            </exceptions>
        </lockdown>
        <options>
            <minimize_window_on_connect>1</minimize_window_on_connect>
            <allow_personal_vpns>0</allow_personal_vpns>
            <autoconnect_on_install>0</autoconnect_on_install>
            <show_vpn_before_logon>1</show_vpn_before_logon>
            <use_windows_credentials>0</use_windows_credentials>
            <keep_running_max_tries>0</keep_running_max_tries>
            <on_os_start_connect_has_priority>1</on_os_start_connect_has_priority>
            <use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
            <secure_remote_access>1</secure_remote_access>
            <disable_connect_disconnect>0</disable_connect_disconnect>
            <on_os_start_connect>ZTNA-GW</on_os_start_connect>
            <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
            <suppress_vpn_notification>0</suppress_vpn_notification>
            <show_negotiation_wnd>0</show_negotiation_wnd>
            <autoconnect_tunnel>ZTNA-GW</autoconnect_tunnel>
        </options>
    </vpn>
    <endpoint_control>
        <ui>
            <display_vpn>1</display_vpn>
        </ui>
    </endpoint_control>
</forticlient_configuration>
​

 

 

 


https://docs.fortinet.com/document/forticlient/7.2.1/ems-administration-guide/854899/per-machine-pre... 

Attached is the XML with some lines scrubbed. Again this will work if I manually enter the information at the VPN pre login screen. Debugs on the fortigate show proper certificate and user matching.

9 REPLIES 9
Jean-Philippe_P
Moderator
Moderator

Hello aguerriero, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
FortiMax_it
Contributor

Hi, after many attempts I found the solution with this configuration. This VPN starts automatically on startup and stays connected even when you log out. It also works for Android.
Mine is an IPSEC VPN and not SSL but try setting the parameters we have in common:

<?xml version="1.0" ?>
<forticlient_configuration>
	<vpn>
		<enabled>1</enabled>
		<sslvpn>
			<options>
				<enabled>0</enabled>
				<dnscache_service_control>0</dnscache_service_control>
				<prefer_sslvpn_dns>1</prefer_sslvpn_dns>
				<disallow_invalid_server_certificate>0</disallow_invalid_server_certificate>
				<warn_invalid_server_certificate>0</warn_invalid_server_certificate>
				<no_dns_registration>0</no_dns_registration>
			</options>
			<connections/>
		</sslvpn>
		<ipsecvpn>
			<options>
				<enabled>1</enabled>
				<use_win_current_user_cert>0</use_win_current_user_cert>
				<use_win_local_computer_cert>1</use_win_local_computer_cert>
				<beep_if_error>1</beep_if_error>
				<usewincert>1</usewincert>
				<uselocalcert>0</uselocalcert>
				<usesmcardcert>0</usesmcardcert>
				<block_ipv6>1</block_ipv6>
				<enable_udp_checksum>0</enable_udp_checksum>
				<disable_default_route>0</disable_default_route>
				<show_auth_cert_only>0</show_auth_cert_only>
				<check_for_cert_private_key>0</check_for_cert_private_key>
				<enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory>
				<no_dns_registration>0</no_dns_registration>
			</options>
			<connections>
				<connection>
					<name>YYYYY</name>
					<machine>1</machine>
					<keep_running>1</keep_running>
					<disclaimer_msg/>
					<sso_enabled>0</sso_enabled>
					<single_user_mode>0</single_user_mode>
					<type>manual</type>
					<ui>
						<show_remember_password>1</show_remember_password>
						<show_alwaysup>1</show_alwaysup>
						<show_autoconnect>1</show_autoconnect>
						<show_passcode>0</show_passcode>
						<save_username>0</save_username>
					</ui>
					<redundant_sort_method>0</redundant_sort_method>
					<tags>
						<allowed/>
						<prohibited></prohibited>
					</tags>
					<host_check_fail_warning><![YYY.]]></host_check_fail_warning>
					<ike_settings>
						<server>YYYY</server>
						<authentication_method>Preshared Key</authentication_method>
						<fgt>1</fgt>
						<prompt_certificate>0</prompt_certificate>
						<xauth>
							<use_otp>0</use_otp>
							<enabled>0</enabled>
							<prompt_username>0</prompt_username>
							<username/>
						</xauth>
						<version>1</version>
						<mode>aggressive</mode>
						<key_life>43200</key_life>
						<localid>YYYYYYY</localid>
						<implied_SPDO>1</implied_SPDO>
						<implied_SPDO_timeout>2</implied_SPDO_timeout>
						<nat_traversal>1</nat_traversal>
						<enable_local_lan>1</enable_local_lan>
						<enable_ike_fragmentation>1</enable_ike_fragmentation>
						<mode_config>1</mode_config>
						<dpd>1</dpd>
						<dpd_retry_count>3</dpd_retry_count>
						<dpd_retry_interval>3</dpd_retry_interval>
						<run_fcauth_system>1</run_fcauth_system>
						<auth_data>
							<preshared_key>YYY</preshared_key>
						</auth_data>
						<dhgroup>5</dhgroup>
						<proposals>
							<proposal>DES|SHA1</proposal>
							<proposal>3DES|MD5</proposal>
						</proposals>
						<nat_alive_freq>5</nat_alive_freq>
					</ike_settings>
					<ipsec_settings>
						<remote_networks>
							<network>
								<addr>0.0.0.0</addr>
								<mask>0.0.0.0</mask>
							</network>
							<network>
								<addr>::/0</addr>
								<mask>::/0</mask>
							</network>
						</remote_networks>
						<dhgroup>5</dhgroup>
						<key_life_type>seconds</key_life_type>
						<key_life_seconds>500</key_life_seconds>
						<key_life_Kbytes>5200</key_life_Kbytes>
						<replay_detection>1</replay_detection>
						<pfs>1</pfs>
						<use_vip>1</use_vip>
						<virtualip>
							<type>modeconfig</type>
							<ip>0.0.0.0</ip>
							<mask>0.0.0.0</mask>
							<dnsserver>0.0.0.0</dnsserver>
							<winserver>0.0.0.0</winserver>
						</virtualip>
						<proposals>
							<proposal>DES|MD5</proposal>
							<proposal>3DES|SHA1</proposal>
						</proposals>
					</ipsec_settings>
					<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
					<android_cert_path/>
					<on_connect>
						<script>
							<os>windows</os>
							<script/>
						</script>
					</on_connect>
					<on_disconnect>
						<script>
							<os>windows</os>
							<script/>
						</script>
					</on_disconnect>
					<traffic_control>
						<enabled>1</enabled>
						<mode>2</mode>
						<isdb_objects>
							<object>
								<owner>28</owner>
								<app>109</app>
							</object>
							<object>
								<owner>28</owner>
								<app>100</app>
							</object>
							<object>
								<owner>19</owner>
								<app>293</app>
							</object>
						</isdb_objects>
						<apps>
							<app>teamviewer.exe</app>
						</apps>
					</traffic_control>
				</connection>
			</connections>
		</ipsecvpn>
		<lockdown>
			<enabled>0</enabled>
			<grace_period>120</grace_period>
			<max_attempts>3</max_attempts>
			<exceptions>
				<apps/>
				<ips/>
			</exceptions>
		</lockdown>
		<options>
			<allow_personal_vpns>0</allow_personal_vpns>
			<disable_connect_disconnect>0</disable_connect_disconnect>
			<show_vpn_before_logon>1</show_vpn_before_logon>
			<use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon>
			<keep_running_max_tries>2</keep_running_max_tries>
			<minimize_window_on_connect>0</minimize_window_on_connect>
			<use_windows_credentials>0</use_windows_credentials>
			<show_negotiation_wnd>1</show_negotiation_wnd>
			<suppress_vpn_notification>0</suppress_vpn_notification>
			<secure_remote_access>1</secure_remote_access>
			<on_os_start_connect>TUNNEL_NAME</on_os_start_connect>
			<on_os_start_connect_has_priority>1</on_os_start_connect_has_priority>
			<autoconnect_only_when_offnet>0</autoconnect_only_when_offnet>
			<autoconnect_on_install>1</autoconnect_on_install>
			<current_connection_name>TUNNEL_NAME</current_connection_name>
			<current_connection_type>ipsec</current_connection_type>
			<autoconnect_tunnel>TUNNEL_NAME</autoconnect_tunnel>
		</options>
	</vpn>
	<endpoint_control>
		<ui>
			<display_vpn>1</display_vpn>
		</ui>
	</endpoint_control>
</forticlient_configuration>

Phase1
    edit "VPN_FORTIGATE"
        set type dynamic
        set interface "WAN"
        set keylife 43200
        set mode aggressive
        set peertype one
        set net-device disable
        set mode-cfg enable
        set proposal des-sha1 3des-md5
        set dpd on-idle
        set dhgrp 5
        set idle-timeout enable
        set idle-timeoutinterval 120
        set peerid "YYYYY"
        set ipv4-start-ip YYYYY
        set ipv4-end-ip YYYYY
        set dns-mode auto
        set unity-support disable
        set psksecret YYYYYYYYYYYYYYY
        set dpd-retryinterval 10
Phase2		
		   edit "VPN_FORTIGATE_2"
        set phase1name "VPN_FORTIGATE"
        set proposal des-md5 3des-sha1
        set dhgrp 5
        set keepalive enable
        set keylifeseconds 500
 
Mad_McGowan

So when you say it is working, does the IPSEC tunnel connect prior to login to the PC or just after the user logs in?  I'm in a spot where the connection start just after logon, but not prior to logon.

FortiMax_it

Hi, my setup installs VPN connection before logging into Windows account. If you want the VPN to start after login and to be disconnected when you log out you must change the value of <machine> from 1 to 0

Mad_McGowan

FortiMax_it, thanks for replying to quickly, my configuration is working currently as if the machine value is set to 1 but it is set to 0.  For some reason I am unable to connect prior to logon.  I did notice that if I enable the legacy pre-logon settings I can manually connect the VPN prior to logging in.  I have been working with support trying to figure out if I've missed something and they seem to think it should be working; it just doesn't automatically connect before logon.

FortiMax_it

I noticed that some versions like 7.0.7 the VPN startup feature at Windows startup worked (login-before-logon) and after updating to 7.2.1 they stopped. I uninstalled the Forticlient and installed version 7.0.9 and the VPN automatically started working again upon startup.

So I recommend you try version 7.2.1 or 7.0.9. Usually if one version doesn't work the other works, I haven't yet fully understood why.

However, if you want the VPN to work when Windows starts without user interaction, the machine value must be 1. If you set 0, the VPN starts after entering the Windows account password.
Use the VPN Ipsec Ike v1 - aggressive like in my example. Ikev2 doesn't work on windows startup for now.

Mad_McGowan

Interesting, I was on 7.0.8 version and I upgraded to 7.0.9.  The autoconnect feature did not work still.  I just upgraded to 7.2.1 and now it is working.  Thanks for the tips and great post.  

danielfigueroaj
New Contributor

A dumb question... where and which filename I must use for the forticlient app to read my configuration? (I see a "XMLs" folder inside my forticlient directory) I'm running the service from command line (Linux)

FortiMax_it

Hi, do you use the free Forticlient or the paid one with the server (EMS)? My guide is for the paid one (EMS) which has many more options than the free 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors