I hope someone is able to help me.
I'm currently having issues connecting to Fortigate 80E using SSL VPN. v6.2.3
I currently have 2 root certificates on the appliance.
CA1 - OLD root Certificate
CA2 - New Root Certificate
PKI users
User1 - CA1(old cert)
Subject - CN=username (matches the user cert CN subject on the device)
Connects fine
User2 - CA2(new cert)
Subject - CN=username(matches the user cert CN subject on the device)
Error in connection.
I recieve different errors when i connect - sometimes its more the certificate error but other times its the TLS error.
This was originally working but now fully doesnt work. If i switch the cert for the user back to the old root CA and matching subject then they can connect without issues.
Current Config:
ssl-max-proto-ver : tls1-3
ssl-min-proto-ver : tls1-1 Doing some debug on the appliance and trying to connect i managed to trace where the errors start comparing it to the working connection.
SSL state:SSLv3/TLS read client key exchange (Remote User IP) SSL state:fatal decrypt error (Remote User IP) SSL state:error:(null)(Remote User IP) SSL_accept failed, 1:bad signature
Now first its been suggested that SSLv3 is disabled however i can't see how to do that on version 6.2 or above rather than setting the SSL min / max versions which are listed above. I have also ensured that all the TLS options within IE settings are selected when testing this out.
Ideally i need to get this sorted within the next couple of weeks as the users certs are expiring from the old root.
Could anyone post any suggestions?
Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Is the cert trusted by the end-user? I would start at that point 1st and and then work forward.
PCNSE
NSE
StrongSwan
The cert is fully trusted by the device - these are issued out through SCEP
We also use this cert for Cisco AnyConnect which works without issue - one difference between these is AC doesn't require the subject mapped to the user, rather just that there is a user cert there that matches the root cert on the appliance.
Can you show us what you mean by mapped to the user? Are you using user or peer group?
Ken Felix
PCNSE
NSE
StrongSwan
We're using PKI users along with subject name from the issued certficate to the user as advised by Fortigate when we initially set up the device. The user then selects the cert within the Forticlient and it should connect. This works correctly for the old cert/root but not the new one.
Yes that I understand di you run any diag debug sslvpnd -1 and look at the user when he/she comes in? Also if you justy do a blind accept for that rootCA that signed the certificate, does the client access the vpn? So just ignore the CN string and see if certificate is accepted on verification.
Also where did you set the user peer up , within the auth-rule ? Follow this blog thread for examples
https://socpuppet.blogspo...with-certificates.html
Ken Felix
SCTG-MS
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.